Data protection policy for customers and prospective clients

Information on data protection and how we process the data of our customers and prospective clients in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)

 

Dear customer and prospective client,

We hereby inform you about the processing of your personal data and your rights in this regard pursuant to Articles 13, 14 and 21 of the GDPR. Determining which data is processed in detail and how it is used depends largely on the requested or agreed services.

1. Person in charge of the data protection rights

CAD-PLAN GmbH
Hanauer Landstr. 174
60314 Frankfurt
Germany
069-800818-0
info@cad-plan.com
www.cad-plan.com

2. Contact information of our data protection officer

Dominik Fünkner

datenschutz@cad-plan.com

3. Purposes and legal basis of processing data

We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (FDPA) for the purpose of implementing, executing and fulfilling contracts and for implementing pre-contractual measures. According to Article 6(1) lit. b of the GDPR, the processing of personal data is lawful as long as its disclosure is required for the establishment or the implementation of contractual relationships or in the context of the implementation of pre-contractual measures.

In accordance with Article 6 (1) lit. a of the GDPR, the legality of processing personal data is based upon your consent. Thus, personal data will only be processed if you give us your explicit consent to process the data for specific purposes (e.g. disclosure of data to third parties or data evaluation for marketing or advertising purposes). An issued consent can be revoked at any time (see Section 9 of this data protection policy). Please note that the revocation only works for future processing. Processing that occurred before the revocation will not be affected.

Where required and permitted by law, we may process your data beyond the actual purpose of the contract in order to fulfil legal obligations (Article 6 (1) lit. c GDPR). In addition, processing may be carried out to protect our or any other third party’s legitimate interests (Article 6 (1) (f) GDPR); we will inform you separately about this and indicate the legitimate interests, as required by law.

4. Categories of personal data

We process data that are related to contract execution or pre-contractual measures. This may be general information about you or your company (such as your name, address and contact details) or any other information that you provide us as part of the execution of the contract.

5. Sources of data

We process personal data which we receive from you during the contact establishment and execution of contractual relationship, or in the context of pre-contractual measures.

6. Recipients of data

We only disclose your personal data within our company to areas where this data is needed to fulfil contractual and legal obligations, or to protect our legitimate interests.

We may transfer your personal data to companies affiliated with us, to the extent permitted by the purposes and legal basis mentioned under Section 3 of the Data Protection Policy.

Your personal data will be processed on our behalf based on the data processing contracts in accordance with Article 28 of the GDPR. In these cases, we ensure that the processing of personal data takes place in accordance with the General Data Protection Regulation. The categories of recipients in this case are our tax office and payroll department.

Data transfer to recipients outside of the company otherwise only takes place if permitted or required by the law, if the disclosure for processing was needed to execute and therefore fulfil the contract, if it is required for the implementation of pre-contractual measures at your request, or if you have consented and we were authorized to provide the information. Under these conditions, recipients of personal data may, for example, be:

  • Public authorities and institutions (e.g. public prosecutors, police, regulatory authorities, tax authorities) in the presence of a legal or regulatory obligation.
  • Recipients to whom the disclosure is directly required for executing or fulfilling the contract, such as financial services providers, transport services providers, and hotels.
  • Other data recipients for whom you have given us your consent to submit the data.

7. Disclosure to a third country

Disclosure to a third country is not intended.

Disclosure of personal data to countries outside the EEA (European Economic Area) or to an international organization will only take place if it is necessary for the execution and therefore the fulfilment of the contract, if it is needed for the implementation of pre-contractual measures at your request, if it is required by law, or if you have given us your consent. Recipients in these cases may include, inter alia, local agencies, airlines and hotels.

8. Duration of data retention

Where necessary, we process and store your personal data for the duration of our business relationship, which includes, for example, the establishment and execution of a contract or for the fulfilment of the contractual purpose.

In addition, we are subject to various storage and documentation obligations, which include among others, the German Commercial Code (HGB) and the German Fiscal Code (AO). The deadlines for storage and documentation range from two to ten years.

Finally, the storage period is also determined by the statutory limitation periods, which is usually three years according to Articles 195 et seq. of the German Civil Code (BGB). But in some cases, it may go up to thirty years.

9. Your rights

In accordance with the GDPR, each affected person has the right to obtain information under Article 15, the right to demand correction under Article 16, the right of erasure under Article 17, the right to request restriction on processing data under Article 18, the right to obtain communication under Article 19 and the right to data transferability under Article 20.

In addition, if you believe that the processing of your personal data is unlawful, you have a right of appeal to a data protection supervisory authority under Article 77 of the GDPR. The right of appeal is without prejudice to any other administrative or judicial remedies.

If the processing of data is based on your consent, you are entitled in accordance with Article 7 of the GDPR to revoke your consent to the use of your personal data at any time for any future processing. Please note that we may need to retain certain data for regulatory compliance, if applicable, for a certain period of time.

The right of objection

As long as the processing of your personal data is in line with the protection of legitimate interests in accordance with Article 6 (1) lit. f of the GDPR, then according to Article 21 of the GDPR, you have the right to object to the processing of these data at any time and for any reason that may have resulted from your particular situation. We will then no longer process this personal data unless we can demonstrate compelling legitimate reasons for processing that would outweigh your interests, rights and freedoms, or if the processing is for the purpose of enforcing, exercising or defending legal claims.

In individual cases, we may process your personal data in order to operate direct advertising. You have the right to object to the processing of your personal data at any time for purposes of such advertising. This also applies to profiling as long as it is associated with direct advertising. If you object to the processing for direct advertising purposes, we will no longer process your personal data for these purposes.

To protect your rights, you can always contact us using the contact information mentioned above.

10. Necessity of providing personal data

The provision of providing personal data for the purpose of executing, fulfilling or implementing pre-contractual measures is generally not required by law or contract. Thus, you are not required to provide personal data. However, the provision of providing personal data is usually required for the decision on the conclusion of a contract, the fulfilment of the contract or for pre-contractual measures. You should and must always provide only the personal data that are required for the conclusion and the fulfilment of the contract, or for the fulfilment of the pre-contractual measures. If you do not provide us with any personal data, we may not be able to make a decision in the context of contractual measures.

11. Automated decision-making

In principle, and in accordance with Article 22 of the GDPR, we do not use fully-automated decision-making to execute or implement business relationship or pre-contractual measures. If we use these procedures for individual cases, we will inform you about it separately or obtain your consent, as long as it is required by law.