1. Foreword
1.1. Data protection is especially important to Bratzler.
1.2. This data privacy policy will inform you about the manner, extent, and purpose of the processing of personal data within our website and the websites, functions, and content associated with it (hereinafter referred to jointly as “website”). The data privacy policy applies regardless of the domains, systems, platforms, and devices used (e.g. desktop or mobile) for the operation of the website.
2. Controller
The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the member states of the European Union, and other legal provisions of a data protection nature, is:
Bratzler & Co. GmbH
Am Großmarkt 10
76137 Karlsruhe, Germany
Tel.: +49 (0)721 96185 0
Fax: +49 (0)721 98818 431
E-Mail: kontakt_at_bratzler.com
3. Data protection officer
The data protection officer of the controller is:
DSBX GmbH
Gablonzer Straße 4
76185 Karlsruhe
E-Mail: Bratzler-en_at_dsbx.one
Telefon: +49 (0)721 98615899
Any data subject can contact our data protection officer at any time if they have any questions or remarks regarding data privacy.
4. Definitions
4.1. Our data privacy policy is based on definitions that were used by the European issuers of guidelines and directives when issuing the General Data Protection Regulation (GDPR). Our data privacy policy is intended to be easily legible and comprehensible to both the public and our clients and business partners.
4.2. In order to guarantee this, we would like to explain the terms used beforehand. The terms used, such as “personal data” or its “processing”, are defined in Art. 4 of the General Data Protection Regulation (GDPR).
4.3. We use the following terms, among others, in this data privacy policy:
4.3.1. Personal data
Personal data is all information that relates to an identified or identifiable natural person (hereinafter referred to as “data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, particularly via allocation to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific features that express the physical, physiological, genetic, psychological, economic, cultural, or social identity of this person.
4.3.2. Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by the party responsible for the processing.
4.3.3. Processing
Processing is any process or any such sequence of processes that takes place with or without the aid of automated procedures and is related to personal data, such as collection, logging, organisation, sorting, storage, adjustment or modification, reading, requesting, use, disclosure by transmission, distribution or any other form of provision, comparison or linking, restriction, deletion, or erasure.
4.3.4. Restriction of processing
Restriction of processing is the marking of stored personal data with the objective of restricting its future processing.
4.3.5. Profiling
Profiling is any type of automated processing of personal data that consists of this personal data being used in order to evaluate certain personal aspects related to a natural person, particularly with the aim of analysing or predicting aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence, or location changes of this natural person.
4.3.6. Pseudonymisation
Pseudonymisation is the processing of personal data in a manner in which the personal data can no longer be matched with a specific data subject without the involvement of additional information, provided that this additional information is stored separately and technical and organisational measures are in place that guarantee that the personal data cannot be matched with an identified or identifiable natural person.
4.3.7. Controller or party responsible for the processing
The controller or party responsible for the processing is the natural or legal person, authority, organisation, or other body that decides on the purpose and means of the processing of personal data, alone or together with others. If the purpose and means of this processing are set by Union law or the law of the member states, the specific criteria of their designation can be set for the controller(s) in accordance with Union law or the law of the member states.
4.3.8. Processor
The processor is a natural or legal person, authority, organisation, or other body that processes personal data on behalf of the controller.
4.3.9. Recipient
A recipient is a natural or legal person, authority, organisation, or other body that personal data is disclosed to, regardless of whether it is a third party or not. Authorities that may receive personal data within the framework of a specific investigation mandate in accordance with Union law or the law of the member states, however, are not considered recipients.
4.3.10. Third parties
A third party is a natural or legal person, authority, organisation, or other body apart from the data subject, controller, processor, and the people who are authorised to process the personal data under the direct responsibility of the controller or the processor.
4.3.11. Consent
Consent is any declaration of will submitted by the data subject voluntarily, in an informed manner and unambiguously, in the form of a declaration or another clear confirmatory action with which the data subject indicates that it agrees to the processing of its personal data.
5. General information about data processing
5.1. Scope of the processing of personal data We generally only collect and use personal data of our users if this is necessary for the provision of a functioning website and our content and services. The collection and use of personal data of our users usually only takes place with the consent of the user. An exception applies in cases in which the prior acquisition of consent is not possible for practical reasons, and the processing of the data is permitted by statutory provisions.
5.2. Legal basis for the processing of personal data
5.2.1. If we obtain consent from the data subject for personal data processing operations, Art. 6(1)(a) GDPR serves as the legal basis.
5.2.2. During the processing of personal data that is necessary for the performance of a contract of which the data subject is a contracting party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies for processing operations that are necessary for the implementation of precontractual measures.
5.2.3. If the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.
5.2.4. In the case that vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6(1)(d) GDPR serves as the legal basis.
5.2.5. If the processing is necessary for the protection of a legitimate interest of our company or a third party and the interests, fundamental rights, and fundamental freedoms of the data subject do not override the first-named interest, Art. 6(1)(f) GDPR serves as the legal basis for the processing.
5.3. Erasure of data and storage duration
5.3.1. The personal data of the data subject is erased or blocked as soon as the purpose of the storage ceases to apply. Storage can additionally take place if this has been provided by the European or national legislators in Union law regulations, laws, or other provisions to which the controller is subject.
5.3.2. A blockage or erasure of the data will take place if a storage period provided by the named standards expires, unless it is necessary to continue to store the data for the conclusion or performance of a contract.
6. Provision of the website and creation of log files
6.1. Description and scope of the data processing
6.1.1. Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
6.1.2. The following data is hereby collected: - Information about the browser type and the version used - The operating system of the user - The internet service provider of the user - The IP address of the user - The date and time of access - Websites from which the system of the user reaches our website (referrer URL) - Websites that are accessed by the system of the user via our website
6.1.3. The data is also stored in log files in our system. This data is not stored together with other personal data of the user.
6.1.4. The data is also stored in the log files of our system. This does not concern the IP address of the user or other data that enables the data to be matched with a user. This data is not stored together with other personal data of the user.
6.2. Legal basis for the data processing
6.2.1. The legal basis for the temporary storage of the data and the log files is Art. 6(1)(f) GDPR.
6.3. Purpose of the data processing
6.4. The temporary storage of the IP address by the system is necessary to enable the website to be supplied to the computer of the user. For this purpose, the IP address of the user must be stored for the duration of the session.
6.5. Storage in log files takes place in order to ensure the functionality of the website. In addition, the data enables us to optimise the website and ensure the security of our information technology systems. In this respect, the data is not analysed for marketing purposes.
6.6. Another one of these purposes is our legitimate interest in data processing in accordance with Art. 6(1)(f) GDPR.
6.7. Duration of the storage
6.8. The data is deleted as soon as it is no longer required to achieve the purpose of its collection. In the case of the logging of the data for the provision of the website, this is the case when the respective session has ended.
6.9. In the case of the storage of the data in log files, this is the case after 30 days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or distorted, so that a match with the accessing client is no longer possible.
6.10. Objection and rectification possibility
The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. As a result, it is not possible for the user to object.
7. Email contact
7.1. Description and scope of the data processing
7.1.1. On the basis of our legitimate interests, we use the possibility of contacting us via email on this website.
7.1.2. It is possible to contact us via the email address provided. In this case, the personal data of the user sent with the email will be stored.
7.1.3. In this respect, no data is passed on to third parties. The data is only used to process the conversation.
7.2. Legal basis for the data processing
7.2.1. The legal basis for the processing of the data that is sent in the course of an email transmission is Art. 6(1)(f) GDPR. If the email contact is aimed at concluding a contract, Art. 6(1)(b) GDPR is an additional legal basis for the processing.
7.3. Purpose of the data processing
7.3.1. In the case of contact via email, this also includes the necessary legitimate interest in the processing of the data.
7.4. Duration of the storage
7.4.1. The data will be deleted as soon as it is no longer required to achieve the purpose of its collection. For the personal data that is sent via email, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be gathered from the circumstances that the issue in question has been conclusively clarified.
7.5. Withdrawal and rectification possibility
7.5.1. The user has the right at any time to withdraw its consent to the processing of the personal data. If the user contacts us via email, it can object to the storage of its personal data at any time. In such a case, the conversation cannot be continued.
7.5.2. All personal data that is stored in the course of the contact will be erased in this case.
8. Google Maps
8.1. Scope of the processing of personal data
8.1.1. On the basis of our legitimate interests, we use the Google Maps service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
8.1.2. Google Maps is an online map service provided by Google. The Earth’s surface can be seen as a roadmap, or as an aerial or satellite image.
8.1.3. The use of the service takes place to include map data on our webpages. The inclusion of Google Maps is carried out via a server request to Google via an interface, the Google Maps API.
8.1.4. When accessing a page on our website in which an according map section has been included, a request is sent to a Google server in the USA, where it is stored and processed. Via the use of Google Maps, the Google servers send data to the browser of the user to present map information.
8.1.5. Google has recognized the EU Commission's standard contractual clauses for the transfer of personal data to third countries and thereby offers a guarantee of compliance with European data protection law.
8.1.6. Further information about the Google Maps service can be found at https://support.google.com/maps/.
8.2. Legal basis for the processing of personal data The legal basis for the processing of the personal data of the user is Art. 6(1)(f) GDPR.
8.3. Purpose of the data processing
8.3.1. The data processing takes place in the interest of the analysis, optimisation, and economic operation of the website, in order to include content or service offers of third parties and their content and services.
8.3.2. We use Google Maps to include verified map data on our website.
8.3.3. The purpose and scope of the data collection and the further processing and use of the data by Google can be seen in the data privacy policy of Google at https://policies.google.com/privacy?hl=en.
8.4. Duration of the storage
8.4.1. The data will be erased as soon as it is no longer necessary for our recording purposes.
8.5. Objection and rectification possibility
8.5.1. Further information about data use by Google, and setting and objection possibilities, can be found on the Google websites https://www.google.com/intl/en/policies/privacy/partners (“How Google uses information from sites or apps that use our services”), http://www.google.com/policies/technologies/ads (“Advertising”), http://www.google.com/settings/ads (“Managing information that Google uses in order to show you advertisements”).
9. Rights of the data subject If personal data about you is processed, you are the data subject within the meaning of the GDPR, and you have the following rights vis-à-vis the controller:
9.1. Right of access
9.1.1. You can request that the controller confirms to you whether personal data concerning you is processed by us.
9.1.2. If such processing takes place, you can request information about the following from the controller:
(1) the purpose for which the personal data is processed;
(2) the categories of personal data that are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you has been or is yet to be disclosed;
(4) the planned duration of the storage of the personal data concerning you or, if specific information about this is not possible, criteria for the determination of the storage duration;
(5) the existence of a right to rectification or erasure of the personal data concerning you, a right to the restriction of the processing by the controller, or a right to object to this processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) all available information about the origin of the data, if the personal data is not collected from the data subject;
(8) the existence of an automated decision-making process including profiling in accordance with Art. 22(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved, and the scope and intended effects of such processing for the data subject.
9.1.3. You have the right to request information about whether the personal data concerning you is sent to a third country or an international organisation. In this respect, you can request that you be informed about the suitable guarantees in accordance with Art. 46 GDPR in connection with the transfer.
9.2. Right to rectification
9.2.1. You have a right to rectification and/or completion by the controller, if the processed personal data concerning you is incorrect or incomplete. The controller must carry out the rectification immediately.
9.3. Right to restriction of processing
9.3.1. In the following circumstances, you can request the restriction of the processing of the personal data concerning you:
(1) if you contest the correctness of the personal data concerning you for a duration that enables the controller to examine the correctness of the personal data;
(2) the processing is unlawful and you refuse the erasure of the personal data, instead requesting the restriction of the use of the personal data;
(3) the controller no longer requires the personal data for the purposes of the processing, but you require it for the assertion, exercise, or defence of legal claims; or
(4) if you have objected to the processing in accordance with Art. 21(1) GDPR and it is not yet certain whether the legitimate interests of the controller override your rights.
9.3.2. If the processing of the personal data concerning you has been restricted, this data may only be processed – apart from its storage – with your consent or for the assertion, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of an important public interest of the Union or a member state.
9.3.3. If the restriction of the processing in accordance with the above requirements has been restricted, you will be informed by the controller before the restriction is lifted.
9.4. Right to erasure
9.4.1. You can request from the controller that the personal data concerning you be erased immediately, and the controller is obliged to erase this data immediately, provided that one of the following reasons applies:
(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent on which the processing in accordance with Art. 6(1)(a) or Art. 9(2)(a) GDPR is based, and there is no other legal basis for the processing.
(3) You object to the processing in accordance with Art. 21(1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing in accordance with Art. 21(2) GDPR.
(4) The personal data concerning you has been processed unlawfully.
(5) The erasure of the personal data concerning you is necessary for the fulfilment of a legal obligation in accordance with Union law or the law of the member states to which the controller is subject.
(6) The personal data concerning you has been collected in relation to the offer of information society services in accordance with Art. 8(1) GDPR.
9.5. Information to third parties If the controller has made the personal data concerning you public and is obliged to erase it in accordance with Art. 17(1) GDPR, it will take appropriate measures, including measures of a technological nature, in consideration of the available technology and the implementation costs, in order to inform parties responsible for the data processing, which process the data, that you as the data subject have requested from them the erasure of all links to this personal data, or copies or replications of this personal data.
9.6. Exceptions There is no right to erasure if the processing is necessary:
(1) to exercise the right to free speech and information;
(2) to fulfil a legal obligation that requires the processing in accordance with the law of the Union or the member states to which the controller is subject, or for the performance of a task that is in the public interest or for the exercise of public authority that has been assigned to the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i), as well as Art. 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific purposes, historical research purposes, or statistical purposes in accordance with Art. 89(1) GDPR, provided that the right named under section a) temporarily makes the achievement of the objectives of this agreement impossible or seriously impairs them; or
(5) for the assertion, exercise, or defence of legal claims.
9.7. Right to information
9.7.1. If you have exercised the right to rectification, erasure, or restriction of the processing vis-à-vis the controller, the controller is obliged to inform all recipients to whom the personal data concerning you has been disclosed of this rectification or deletion of the data or restriction of the processing, unless this proves to be impossible or is associated with a disproportionate effort.
9.7.2. You have the right to be informed by the controller about these recipients.
9.8. Right to data portability
9.8.1. You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common, and machine-readable format. You also have the right to transfer this data to another controller without being obstructed by the controller that was provided with the personal data, provided that
(1) the processing is based on consent in accordance with Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, or on a contract in accordance with Art. 6(1)(b) GDPR; and
(2) the processing takes place with the aid of an automated process.
9.8.2. In exercising this right, you also have the right to arrange for the personal data concerning you to be transferred directly from one controller to another controller, provided that this is technically feasible. Freedoms and rights of other people may not be impaired by this action.
9.8.3. The right to data portability does not apply for the processing of personal data that is necessary for the performance of a task that is in the public interest or takes place in the exercise of public authority that has been assigned to the controller.
10. Right to object
10.1. You have the right, for reasons resulting from your particular situation, to object at any time to the processing of the personal data concerning you that takes place in accordance with Art. 6(1)(e) or (f); this also applies for profiling based on these provisions.
10.2. The controller will no longer process the personal data concerning you unless it can prove compelling reasons for the processing that are worth protecting and override your interests, rights, and freedoms, or the processing is for the assertion, exercise, or defence of legal claims.
10.3. If the personal data concerning you is processed for direct advertising purposes, you have the right at any time to object to the processing of the personal data concerning you for the purpose of such advertising; this also applies for the profiling if it is related to such direct advertising.
10.4. If you object to the processing for the purposes of direct advertising, the personal data concerning you will no longer be processed for these purposes.
10.5. You have the opportunity, in relation to the use of information society services – irrespective of Directive 2002/58/EC – to exercise your right to object via an automated process in which technical specifications are applied.
11. Right to withdraw a declaration of consent given under data protection law
You have the right at any time to withdraw your declaration of consent given under data protection law. The withdrawal of consent will not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.
12. Automated decision-making in individual cases including profiling
You have the right not to be subjected to a decision based solely on automated processing – including profiling – that has a legal effect on you or impairs you significantly in a similar manner. This does not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller;
(2) is permissible based on legal provisions of the Union or the member states to which the controller is subject, and these legal provisions contain suitable measures to safeguard your rights and freedoms, as well as your legitimate interests; or
(3) takes place with your explicit consent.
12.1. However, these decisions may not be based on specific categories of personal data in accordance with Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR applies and suitable measures to protect the rights and freedoms, as well as your legitimate interests, have been taken.
12.2. Regarding the cases named in (1) and (3), the controller takes suitable measures in order to protect the rights and interests, as well as your legitimate interests, which include at least the right to effect the intervention of a person by the controller, to state one’s own point of view, and to contest the decision.
13. Right to lodge a complaint with a supervisory authority
13.1. Irrespective of any other administrative or judicial
13.2. legal remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the member state of your place of residence, your place of work or the location of the suspected violation, if you are of the opinion that the processing of the personal data concerning you violates the GDPR.
13.3. The supervisory authority to which the complaint is submitted will inform the complainant about the status and the outcome of the complaint, as well as the possibility of legal remedy in accordance with Art. 78 GDPR.
Collection and storing of personal data as well as type and purpose of their use in application processes
If you get in touch with us in order to submit an application for a job advertisement or if you send us an unsolicited application, the personal data you provide us will be collected on a regular basis. Generally, these are:
• Title
• First name, surname
• Address
• Email address
• Phone number (landline and/or mobile)
• Date of birth
• Place
• Family-related data
• Data relating to school certificates
• Data relating to training and qualification
• Higher education certificates
• References from employers, schools, colleges
• When appropriate, health-related data
• Bank details (to pay out travel expenses for travelling to a job interview)
This data is collected
• to process your application
• to carry out the application process
• to communicate with you
• to schedule an appointment for a job interview
• to pay expenses arising from cost assumption in the context of a job interview at our premises
The data processing is based on your request and is legally determined under § 26 of the German Federal Data Protection Act, BDSG, for the purposes mentioned in processing your application.
Disclosure of data to third parties Your personal data is not disclosed to third parties.