Information obligation for customers in accordance with Art. 13 and Art. 14 GDPR

The data controller is:

COMDO GmbH
Martin Bertel, Managing Director
Raiffeisenallee 5
82041 Oberhaching

Phone: +49 89 125033700
E-mail: info@comdo.de

The responsible body is the natural or legal person who, alone or together with others, decides on the purposes and means of processing personal data (e.g. names, email addresses, etc.).

Data will only be transferred to third countries (countries outside the European Economic Area – EEA) if this is necessary for the execution of the service contract or if you have given us your consent or if this is otherwise legally permissible. In this case, we take measures to ensure the protection of your data, for example through contractual provisions. We only transfer data to recipients who ensure the protection of your data in accordance with the provisions of the GDPR for the transfer of data to third countries (Art. 44 to 49 GDPR).

1 Data processing in the context of order processing

1.1 Order entry and processing

In order to process your order or request, we collect personal data from contact persons (name, address, email address, telephone number, mobile phone number) as part of the process. Your data is entered and stored in our central system.

For the written activity planning of our projects, we have a weekly plan that may also contain personal data in the form of customer master data and project information.

The processing is based on a contract or pre-contractual measure in accordance with Art. 6 (1) point b GDPR.

The data is forwarded internally to the necessary departments and, if necessary, to external parties (e.g. legal advice, press) who are subject to confidentiality / (e.g. shipping service providers/business partners/subcontractors) in order to process the order further.

We have commissioned an external service provider to provide technical support for our IT systems: ComHelp Computers GmbH, Hans-Riedl-Straße 19, D-85622 Feldkirchen. A data processing agreement has been concluded with the service provider.

The data is stored in accordance with the statutory retention requirements. If no contractual relationship comes about, your data will be deleted after one year without active contact.

1.2 IT support on request

In order to process your order or request, we collect personal data from contact persons (name, address, e-mail address, telephone number, cell phone number) as part of the process. Depending on the order, the responsible person is given access to and insight into the client's systems and thus, if necessary, to personal data.

For the written activity planning of our projects, we have a planning in our calendar that may also contain personal data in the form of customer master data and project information.

The data is forwarded internally to the necessary departments and, if necessary, to external parties (e.g. shipping service providers/business partners/subcontractors/manufacturers) in order to be able to process the order further.

The data is stored in accordance with the statutory retention requirements.

1.3 Contract management

In order to organize contracts, contracts are scanned and electronically stored in our system. These are contracts from customers, business partners, service providers, affiliated companies and others as applicable. The contracts may contain personal data in the form of contact information and personal data (financial information, etc.) for the purpose of contract execution.

The processing of the data is based on the performance of the contract in accordance with Article 6 (1) point b GDPR, which allows the processing of data for the performance of a contract or pre-contractual measures.

The data will be stored in accordance with the statutory retention requirements.

1.4 Communication

In order to get in touch with you, we write you an e-mail with further information to process your request, your order or as part of our general business relationship. For this purpose, your e-mail address, the e-mail content and the history of communication are recorded. The e-mails are hosted by an external service provider. The providers are ComHelp Computers GmbH, Hans-Riedl-Straße 19, D-85622 Feldkirchen and noris network AG, Thomas-Mann-Straße 16 – 20, 90471 Nuremberg. We have concluded a data processing agreement with the provider.

Furthermore, we may also call you by phone using the landline or mobile phone number you have provided us with.

The processing of the data is based on the performance of a contract pursuant to Article 6 (1) point b GDPR, which allows the processing of data to fulfill a contract or for measures preliminary to a contract (customer relationship, contracts with business partners).

A transfer of the data will only take place if this has been agreed with you or is necessary for the current business transaction.

Your data will be stored by us on our systems in accordance with the legal storage requirements.

2 Data processing in IT systems

2.1 Contact and address management

To manage all contact information for business partners and customers, we store the contacts in our system, where: name, or contact person, address, telephone number, mobile phone number and e-mail address are stored.

The data collection is based on a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, in order to manage contact information of employees and business partners in an organized manner.

Only our employees have access to this system. The external service provider ComHelp Computers GmbH, Hans-Riedl-Straße 19, D-85622 Feldkirchen, has been contracted to provide technical support. A data processing agreement has been concluded with the service provider.

Your contact details will be stored in our system for the duration of the business relationship and for a further year thereafter.

2.2 Audio and video conferencing, remote software

2.2.1 Data processing

We use online conferencing tools, among other things, to communicate with our customers. The tools we use individually are listed below. If you communicate with us via video or audio conference or remote software over the internet, we and the provider of the respective conferencing tool will collect and process your personal data.

The conference tools collect all the data that you provide/use to use the tools (email address and/or your telephone number). Furthermore, the conference tools process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other “context information” related to the communication process (metadata).

Furthermore, the tool provider processes all technical data required to handle the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker, as well as the type of connection.

If content is exchanged, uploaded or otherwise made available within the tool, this is also stored on the servers of the tool providers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service.

Please note that we do not have full influence on the data processing operations of the tools used. Our options are largely determined by the corporate policy of the respective provider. Further information on data processing by the conference tools can be found in the data protection declarations of the tools used, which we have listed below this text.

2.2.2 Purpose and legal basis

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). If consent has been requested, the tools in question will be used on the basis of this consent; consent may be revoked at any time with effect for the future.

2.2.3 Storage duration

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies. Stored cookies remain on your device until you delete them. Mandatory statutory retention periods remain unaffected.

We have no influence on the storage period of your data that is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

2.3 Conference tools used

We use the following conference tools:

2.3.1 TeamViewer (remote software)

We use TeamViewer. The provider is TeamViewer Germany GmbH, Jahnstr. 30, 73037 Göppingen. For details on data processing, please refer to TeamViewer's privacy policy: https://www.teamviewer.com/de/datenschutzerklaerung/.

2.3.2 Order processing

We have concluded an agreement on order processing with the above-named provider. This is a contract that is required under data protection law and ensures that the personal data of our website visitors is processed only in accordance with our instructions and in compliance with the GDPR.

2.3.3 Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. For details about data processing, see the Microsoft Teams privacy statement: https://privacy.microsoft.com/de-de/privacystatement.

2.3.4 Data processing

We have concluded a data processing agreement with the above-named provider. This is a contract that is required under data protection law and ensures that the personal data of our website visitors is processed only in accordance with our instructions and in compliance with the GDPR.

2.4 File sharing via OneDrive3

We use OneDrive to exchange files with you. The provider is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter “OneDrive”).

OneDrive allows us to incorporate a folder structure on our system where you can upload content. When you upload content, it is stored on OneDrive servers. A connection to OneDrive is also established so that OneDrive can determine that you have visited our system.

OneDrive is used on the basis of Art. 6 (1) (f) GDPR. The controller has a legitimate interest in a reliable and efficient data exchange system.

2.4.1 Data processing

We have concluded an agreement on data processing with the provider named above. This is a contract that is required under data protection law and ensures that the personal data of our website visitors is processed only in accordance with our instructions and in compliance with the GDPR.

2.5 Guest Wi-Fi

We offer our guests the option of internet access. To do this, you will receive access to our guest Wi-Fi. You can request access from the managing director or a responsible employee. Your name and the protocol data are stored in our system.

Use of the Wi-Fi is based on voluntary consent in accordance with Art. 6 (1) point a GDPR. You can withdraw your consent informally at any time. However, this will mean that you will no longer be able to use the internet access.

The data will only be passed on if this has been agreed with you or is necessary for the current incident. The external service provider ComHelp Computers GmbH, Hans-Riedl-Straße 19, D-85622 Feldkirchen, has been contracted to provide technical support. A data processing agreement has been concluded with the service provider.

The log data is stored for three months and then deleted from the system.

3 IT ticket system

We use a ticket tool in IT to prioritize and document requests for IT support. This tool is provided by Zammad GmbH, Marienstrasse 18, 10117 Berlin. An order processing contract has been concluded with the service provider. When you submit a ticket, we collect the following information from the processor: surname, first name. We collect the following information from the requester: surname, first name, department. Depending on the type of error, personal data may also be included in the error description itself.

The processing of the data is based on a business purpose in accordance with Art. 6 Para. 1 lit. f GDPR. The controller has a legitimate interest in optimizing processes and customer support.

The data is processed in the IT department and, if necessary, forwarded to an external support service provider to process the case. If your data is forwarded to a service provider for further processing, we have concluded an order processing contract with them.

Your personal data will be stored until the purpose has been fulfilled.

4 Financial accounting

5.1 Financial accounting

We have mapped a process in our IT systems for handling financial accounting in the company. It is possible that personal data of contact persons or invoice information (name, address, email address, telephone number, mobile phone number) may be processed as part of this process.

The processing is based on a legal requirement according to Art. 6 para. 1 lit. c GDPR. The processing is necessary to fulfill a legal obligation to which the person responsible is subject (principles of proper accounting).

We have commissioned an external service provider for payroll accounting: Monika Grasberger Fa. Inwords. An order processing contract has been concluded with the service provider. For accounting purposes, the data is transmitted to the tax consultants Bayer & Partner Rechtsanwälte und Steuerberater, Hauptstraße 102, 82008 Unterhaching.

The data is stored in accordance with the statutory retention requirements.

5.2 Dunning

In the event of outstanding claims, these will be sent a reminder and, in the event of non-payment, forwarded to Bayer & Partner Rechtsanwälte und Steuerberater, Hauptstraße 102, 82008 Unterhaching. For this purpose, we require: name, address and the amount of the outstanding claim.

The processing is based on a contract or pre-contractual measure in accordance with Art. 6 Para. 1 lit. b GDPR.

A forwarding takes place to Bayer & Partner Rechtsanwälte und Steuerberater, Hauptstraße 102, 82008 Unterhaching.

The data is stored in accordance with the statutory retention requirements.

The data is not stored.

5 Facility Management

6.1 Head office, visitor management

Distribution of incoming post to the relevant departments and individuals. Personal letters are delivered unopened. Central call answering and forwarding. Visitors are received and recorded on a visitor list to keep track of which external persons are on the premises.

For this purpose, we collect the following data from you: name of employee, name of business partner, attendance times of the visitor, signature of the visitor.

The data collection is based on a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, in order to only allow authorized persons on the premises.

Your data will only be passed on if this has been agreed with you or is necessary for the current business transaction.

Your data will be stored by us on our systems in accordance with the legal storage requirements.

6 Other

7.1 Paper and file disposal / data storage media disposal

The destruction of paper documents and data carriers containing personal data that are no longer required is carried out. This ensures that the deletion deadlines are met after the retention period.

All data from the customer relationship may be on the documents and paper carriers.

The processing of the data is based on a legal requirement according to Art. 6 para. 1 lit. c GDPR, the processing is necessary to fulfill a legal obligation to which the controller is subject.

The data is forwarded to the certified disposal company Rhenus Data Office GmbH, Industriestraße 5, 48301 Nottuln-Appelhülsen, which the controller commissions to destroy and dispose of the data. A data processing agreement has been concluded with the disposal company.

7.2 Data protection management

You can contact the external data protection officer at any time by email at info@datenbeschuetzerin.de or by phone at 09921 9062720.

In doing so, your name, the reason for the request, the facts of the case, and any data of the person concerned stored in the system will be collected and stored.

The processing of the data is based on the performance of the contract in accordance with Art. 6 (1) point b GDPR, which allows the processing of data to fulfill a contract or for measures preliminary to a contract (service contract, employment contract).

The information will only be passed on with your consent.

Your personal data will be stored for as long as needed for the purpose. Legal storage obligations remain unaffected.

7 Application

8.1 Handling of applicant data

We offer you the opportunity to apply to us (e.g. by email or post). The following information is about the scope, purpose and use of the personal data collected from you during the application process. We assure you that the collection, processing and use of your data is carried out in accordance with the applicable data protection law and all other statutory provisions and that your data is treated in strict confidence.

8.2 Scope and purpose of data collection

If you send us an application, we will process the associated personal data (e.g. contact and communication data, application documents, notes taken during job interviews, etc.) to the extent necessary to decide whether to establish an employment relationship. The legal basis for this is Section 26 of the German Federal Data Protection Act (BDSG) under German law (initiation of an employment relationship), Article 6 (1) (b) GDPR (general contract initiation) and – if you have given your consent – Article 6 (1) (a) GDPR. Consent can be revoked at any time. Your personal data will only be shared within our company with individuals involved in processing your application.

If your application is successful, the data you have submitted will be stored in our data processing systems on the basis of § 26 BDSG and Art. 6 (1) (b) GDPR for the purpose of implementing the employment relationship.

8.3 Data retention period

If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to store the data you have submitted for up to six months from the end of the application process (rejection or withdrawal of the application) on the basis of our legitimate interests (Art. 6 (1) (f) GDPR). After that, the data will be deleted and the physical application documents destroyed. The storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the six-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention requirements preclude deletion.

8 Our social media sites

9.1 Data processing by social networks

We maintain publicly accessible profiles on social networks. The individual social networks we use can be found below.

Social networks such as Facebook, LinkedIn, etc. can generally analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or banner ads). When you visit our social media pages, numerous data protection-relevant processing operations are triggered. Specifically:

If you are logged into your social media account and visit our social media page, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection is done, for example, by cookies that are stored on your device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. This way, interest-based advertising can be displayed to you both within and outside of the respective social media site. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we are not able to retrace all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection policies of the respective social media portals.

9.2 Legal basis

Our social media appearances are intended to ensure the broadest possible presence on the internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases, which are to be indicated by the operators of the social networks (e.g. consent within the meaning of Art. 6 (1) point a GDPR).

9.3 Person responsible and assertion of rights

If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can, in principle, protect your rights (information, correction, deletion, restriction of processing, data portability and complaint) both to us and to the operator of the respective social media portal (e.g. to Facebook).

Please note that, despite our shared responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

8.4 Storage duration

The data collected directly from us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies. Stored cookies remain on your device until you delete them. Mandatory statutory provisions – in particular, retention periods – remain unaffected.

We have no influence over the duration of storage of your data by the social network operators for their own purposes. For details, please contact the social network operators directly (e.g. see their privacy policies below).

9.5 Social networks in detail

9.5.1 Facebook

We have a profile on Facebook. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland. According to Facebook's statement the collected data will also be transferred to the USA and other third party countries.

We have concluded an agreement with Facebook on joint processing (Controller Addendum). This agreement determines which data processing operations we or Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can customize your advertising settings independently in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

For details, please refer to Facebook's privacy policy: https://www.facebook.com/about/privacy/.

9.5.2 LinkedIn

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you wish to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfer to the US is based on the EU Commission's standard contractual clauses. You can find details here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

For details on how they handle your personal data, please refer to

the LinkedIn privacy policy: https://www.linkedin.com/legal/privacy-policy