English

Privacy Policy

Corporate policy on data protection organisation at Antriebssysteme FAURNDAU GmbH

Status: May 2018

Privacy Policy

Corporate policy on data protection organisation at Antriebssysteme FAURNDAU GmbH

Status: May 2018

Privacy Policy

Corporate policy on data protection organisation at Antriebssysteme FAURNDAU GmbH

Status: May 2018

  1. Principles

The protection of personal data is an important concern to us. We therefore process the personal data of our employees, customers, suppliers and other business partners in compliance with the applicable legal regulations on the protection of personal data and data security.

This Data Privacy Policy describes which types of personal data we gather and how these data are used, to whom they are transmitted, and which options and rights data subjects have regarding our processing of the data. We also describe the measures we use to ensure the security of the data and how data subjects can contact us if they have questions about our data protection practice.

This policy determines the processing of information in compliance with data protection and the existing responsibilities at Antriebssysteme FAURNDAU GmbH. All employees are obligated to comply with this policy.

It addresses

  • the persons or departments deciding on the use/provision of an application system (company management and head of the IT department, including system administrators);

  • the persons or departments deciding on the use of the system for their tasks (this normally affects the operational departments);

  • users, i.e. the ones who use the system that is made available for the completion of their business tasks (when personal data is stored on a desktop computer, the individual user may potentially also decide

on the processing taking place in the system and the programs that are used for this purpose);

  • the company data protection officer (DPO) who advises and checks the implementation of this policy and who is obligated to perform the tasks specifically assigned to him/her.

The following principles apply here:

  • The DP hardware and software are to be used for business tasks, notably for the respectively intended purposes, and must be protected against loss and manipulation. Any use for private purposes requires explicit approval.

  • Each employee is responsible for the implementation of the policy within his/her area of responsibility. He/she must check compliance at regular intervals.

  • The persons overseeing the systems that are used for the processing ensure that the employees (users), including temporary workers reporting to them, are informed of this policy.

  • The data protection officer provides advice on the implementation of the policy and also checks compliance with the policy. To this end, all addressees of the policy are required to provide information to the DPO.

  1. Company data protection officers/data protection coordinators

2.1 In accordance with Article 37 GDPR, Antriebssysteme Faurndau GmbH has appointed a company data protection officer and substitute in case of his/her absence. The DPO performs the tasks assigned to him/her by operation of law and under this policy, in application of his/her expertise and his/her professional qualification, without being bound by instructions.

2.2 The data protection officer informs and advises the company management and employees with regard to their data protection obligations. He/she is responsible for monitoring the compliance with data protection regulations as well as the strategies of the data controller for the protection of personal data, including the assignment of responsibilities, awareness raising and training of employees. With regard to risky data processing activities, the DPO supports the data controller with his/her advice for preparing the risk assessment.

2.3 The DPO reports directly to the company management.

2.4 The DPO is to be involved as early as possible in all matters relating to data protection and the company management, and the employees are to support him/her in the fulfilment of his/her duties.

2.5 The company management appoints a data protection coordinator for the respective organisational unit in agreement with the DPO if this proves to be required based on the organisational conditions (e.g. in case of non-independent external branches). Therefore, the coordinator is an employee who is operationally attributed to the DPO for compliance with the data protection regulations applicable to the company. He/she informs the DPO about data protection issues arising on site. He/she collects information about the processes used separately within his/her area of responsibility and passes on the information to the DPO.

2.6 The a company is required to keep a record of all processing activities. In each operational department, there is at least one person who is assigned the responsibility to compile the information that is needed for this purpose about the procedures in the department in question and to document the information according to the requirements of Art. 30 GDPR. In case of ambiguities regarding the legally required information, the data protection officer may be consulted for advice. The data protection officer must be given a copy of the record of processing activities. Upon request, the company will make the record available to the supervisory authority. The data protection officer is responsible for this in agreement with the company management and cooperates with the supervisory authority.

2.7 Every employee can contact the DPO directly with information, suggestions or complaints; this contact can be kept strictly confidential upon request.

2.8 The DPO reports annually in an activity report to the company management about implemented checks, complaints and, if applicable, any organisational deficiencies still to be rectified. To the extent that the report relates to the processing of personal data or questions of the operational organisation, it will also be made available to the works council.

  1. Procurement/hardware and software

3.1 Hardware and software are generally procured by the central DP purchasing department on request by the person/department making decisions on the processing. In the selection of hardware and software, the principle of the assurance of data protection by technical design and by default is taken into account as a key criterion. The standard operating procedure “Checklist for Compliance with the Requirements for Privacy-by-design/Privacy-by-default” (Annex 1) applies normatively.

3.2 If a new processing procedure for personal data is to be introduced as part of the procurement, the data protection officer has to be informed in good time in advance by the requesting office (for more details, see Sec. 5.2). The procurement will be made only after the DPO has responded. The DPO will provide advice as to whether a data protection impact assessment has to be conducted. Conducting a data protection impact assessment is defined in the standard operating procedure “Risk minimisation by means of data protection impact assessment” (Annex 2).

3.3 Private hardware and software must not be used for the processing of personal data. The business use of private hardware and software at home and in places outside of the company (e.g. on private notebooks) requires approval from the IT department in each specific case.

3.4 The IT department maintains a directory of the hardware and applications in use. The DPO can access the directory at any time.

3.5 The DP department and the DPO must be informed immediately in case it is suspected that hardware and software were stolen, unauthorised access to personal data or sabotage or similar occurred. More details are defined in the standard operating procedure “Conduct in the Event of a Data Breach” (Annex 3).

  1. Obligation/training of employees

4.1 Every employee who handles personal data is subject to the obligation for the confidential treatment of personal data and compliance with this policy.

4.2 The obligation is to be imposed by means of the form intended for this purpose and by the HR department handing out the information leaflet that has been drafted by the DPO.

4.3 Employees who are subject to special confidentiality obligations (e.g. telecommunications secrecy pursuant to Sec. 88 TKG [German Telecommunications Act]) will be obligated additionally in writing by their supervisors. The respective formal obligation is to be included in the personnel files.

4.4 The DPO is to be notified about the obligation of employees and their workplace for the purpose of informing them of further training to be conducted by him/her and the ascertainment of any potential need for control.

4.5 The relevant employees are to receive leave on the dates and for the times of training in agreement with the respective department directors.

  1. Transparency of data processing

5.1 A record of processing activities relating to the handling of personal data is maintained by the data protection officer in accordance with Art. 30 GDPR. The person responsible for a process or the competent data protection coordinator report this promptly according to the requirements defined by the DPO. The same applies to change requests.

5.2 Independently from this report, the DPO is to be informed of the purpose and content of the application and the fulfilment of the reporting duty if there are any plans to introduce new processing activities or change the existing procedures (cf. Sec. 6.3). For standardised data gathering (questionnaires, contests, input fields on the homepage, etc.), the data gathering form and similar must be presented to the DPO for consultation.

5.3 The DPO will inform directly if he/she discovers that the intended processing is subject to a data protection impact assessment. The processing activity may only be performed after the DPO’s agreement. In cases of doubt, the company management will decide.

5.4 If a data subject exercises his/her right of access to his/her data pursuant to Art. 15 GDPR or his/her right of rectification or his/her right to object pursuant to Art. 16 and Art. 21 GDPR, the central processing will be performed by the DPO (in case of companies with regular requests for information, it can also be reasonable to assign the competence to the operational department). Rights of employees to receive information and access are fulfilled by the HR department. It is to be ensured that the data subject can receive his/her data upon request in a structured, common and machine-readable format. The DPO and the IT department are to determine in advance and in mutual agreement which standard meets these requirements. In this regard, the standard operating procedure “Data Portability“ must be observed (Annex 4).

  1. Gathering/processing of personal data

6.1 The gathering and processing of personal data may only take place within the legally permissible limits. For this purpose, the special conditions must also be observed for the gathering and processing of sensitive data according to Art. 9 (1) GDPR. In principle, only such information may be processed and used that is required for the fulfilment of business tasks and which is directly related to the purpose of the processing. Further matters requiring permission, which can legitimate the handling of personal data at the company, are explained in numerous example cases (adjusted to the company) in the standard operating procedure “Handling of Personal Data/Matters Requiring Permission under the GDPR” (Annex 5).

6.2 It is to be ensured that data subjects are not subjected to any decisions, which are based solely on automated processing and simultaneously develop legal effect in relation to the data subject or otherwise cause substantial restrictions for them (e.g. profiling).

6.3 Before new types of procedures for data gathering are introduced, the limited purpose of the data, which is determinant of the permissibility, is to be documented in writing by the persons responsible for the application. A change of the purpose is generally permissible only if the processing is reconcilable with the purposes for which the data were originally gathered. The criteria for consideration that are applied in the context of a change of purpose must be checked one-by-one. The check must additionally be documented on a record consistent with requirements. A catalogue of criteria for this purpose is contained in the standard operating procedure “Compatibility Check for a Change of Purpose” (Annex 6).

This must be observed. A change of purpose is also permissible if consent of the data subject is obtained by the data controller. At the same time, the responsible data processor must define in writing, prior to the gathering or storing of data, whether and in what manner the statutory duty to notify the data subject is to be fulfilled.

6.4 If others request information about data subjects, then this information may be provided without the consent of the data subject only if a statutory obligation for this or a legitimate interest of the company applies, which justifies the transfer, and if the requesting person or entity has been identified without a doubt. In case of doubt, the DPO must be contacted.

  1. Data management/transmission/deletion

7.1 Data are generally stored on the network drives that are provided for this purpose. Storage on mobile data media or in cloud drives (e.g. flash drives, streamers) requires approval from the IT department and registration by the department/user using the data media. When networks are used, the IT department is responsible for the storage of the data that are saved on the server.

7.2 If technical conditions require a different storage location (e.g. notebook, desktop PC), the respective user is personally responsible for the performance of data backups. If network access is available (e.g. for notebooks with WiFi, tablets), the current data stock is to be transferred at least weekly to the network drive reserved for the user. The chosen data backup measures are to be documented in the record of processing activities.

7.3 Statutory retention periods and deletion dates must be observed by the person deciding on the processing of the data under his/her own responsibility. The IT department is to be informed of the adherence to deadlines, especially with regard to the deletion of personal data contained in backup copies.

7.4 When IT components that are no longer required are transferred or returned, the user is obligated to ensure that all data have been effectively deleted beforehand.

  1. External service providers/commissioned data processing/maintenance

8.1 If external service providers are to be contracted for the first time for the processing of personal data or individual processing steps (e.g. gathering, deletion = disposal) or for activities (e.g. maintenance, repair) in the course of which personal data come to their knowledge, the DPO must be informed prior to the contracting by submission of the draft contract satisfying the requirements of Art. 28 GDPR and the criteria of the order control performed or planned in subsequence.

8.2 The same applies if Antriebssysteme FAURNDAU GmbH intends to perform corresponding activities on behalf of third parties.

  1. Security of the processing

9.1 A documented assessment of the protection requirement and an analysis regarding the potential risks for the data subject must be prepared for each processing activity. These are oriented on the kind, scope, circumstances, and purpose of the processing, and on the probability of the occurrence of such a risk.

9.2 A general security concept is to be drafted for the protection of availability, confidentiality and integrity of the data as well as the resilience of the data processing systems. The concept is oriented on the previously drafted assessment of the protection requirement and the risk analysis. This concept applies normatively to all further procedures.

9.3 Besides this policy, supplementing provisions apply, which relate in particular to the measures to be taken for the implementation of the data security principles pursuant to Art. 32 GDPR. This includes, for example:

  • Work instruction on the mailing of data media and encryption of data in compliance with data protection

  • Work instruction on the password procedure

  • Work instruction on the provision of information in HR

  • Work instruction on the use of PCs and laptops

  • Work instruction on telecommuting/home office work

In addition, a number of company agreements define the processing of personal data in more detail. This includes, for example, the agreement

  • on the use of telecommunication systems (telephone, email, internet) at Antriebssysteme FAURNDAU GmbH,

  • the assignment of telecommuting/home office work

  1. Data protection for job applications and on the job application procedure

The data controller gathers and processes the personal data of job applicants for the purpose of completing the job application procedure. The processing can also take place electronically. This is the case in particular if an applicant submits the relevant application documents to the data controller by electronic means, such as email or the online form on the website. If the data controller concludes an employment contract with a job applicant, the transmitted data will be stored in observation of the legal regulations for the purposes of processing the employment contract. If no employment contract is concluded by the data controller with the applicant, the application documents will be deleted two months after the announcement of the decision to decline, provided that no other legitimate interests of the data controller are opposed to the deletion. Other legitimate interest in this sense is, for example, the burden of proof in proceedings under the General Equal Treatment Act (“AGG”).

  1. Principles

The protection of personal data is an important concern to us. We therefore process the personal data of our employees, customers, suppliers and other business partners in compliance with the applicable legal regulations on the protection of personal data and data security.

This Data Privacy Policy describes which types of personal data we gather and how these data are used, to whom they are transmitted, and which options and rights data subjects have regarding our processing of the data. We also describe the measures we use to ensure the security of the data and how data subjects can contact us if they have questions about our data protection practice.

This policy determines the processing of information in compliance with data protection and the existing responsibilities at Antriebssysteme FAURNDAU GmbH. All employees are obligated to comply with this policy.

It addresses

  • the persons or departments deciding on the use/provision of an application system (company management and head of the IT department, including system administrators);

  • the persons or departments deciding on the use of the system for their tasks (this normally affects the operational departments);

  • users, i.e. the ones who use the system that is made available for the completion of their business tasks (when personal data is stored on a desktop computer, the individual user may potentially also decide

on the processing taking place in the system and the programs that are used for this purpose);

  • the company data protection officer (DPO) who advises and checks the implementation of this policy and who is obligated to perform the tasks specifically assigned to him/her.

The following principles apply here:

  • The DP hardware and software are to be used for business tasks, notably for the respectively intended purposes, and must be protected against loss and manipulation. Any use for private purposes requires explicit approval.

  • Each employee is responsible for the implementation of the policy within his/her area of responsibility. He/she must check compliance at regular intervals.

  • The persons overseeing the systems that are used for the processing ensure that the employees (users), including temporary workers reporting to them, are informed of this policy.

  • The data protection officer provides advice on the implementation of the policy and also checks compliance with the policy. To this end, all addressees of the policy are required to provide information to the DPO.

  1. Company data protection officers/data protection coordinators

2.1 In accordance with Article 37 GDPR, Antriebssysteme Faurndau GmbH has appointed a company data protection officer and substitute in case of his/her absence. The DPO performs the tasks assigned to him/her by operation of law and under this policy, in application of his/her expertise and his/her professional qualification, without being bound by instructions.

2.2 The data protection officer informs and advises the company management and employees with regard to their data protection obligations. He/she is responsible for monitoring the compliance with data protection regulations as well as the strategies of the data controller for the protection of personal data, including the assignment of responsibilities, awareness raising and training of employees. With regard to risky data processing activities, the DPO supports the data controller with his/her advice for preparing the risk assessment.

2.3 The DPO reports directly to the company management.

2.4 The DPO is to be involved as early as possible in all matters relating to data protection and the company management, and the employees are to support him/her in the fulfilment of his/her duties.

2.5 The company management appoints a data protection coordinator for the respective organisational unit in agreement with the DPO if this proves to be required based on the organisational conditions (e.g. in case of non-independent external branches). Therefore, the coordinator is an employee who is operationally attributed to the DPO for compliance with the data protection regulations applicable to the company. He/she informs the DPO about data protection issues arising on site. He/she collects information about the processes used separately within his/her area of responsibility and passes on the information to the DPO.

2.6 The a company is required to keep a record of all processing activities. In each operational department, there is at least one person who is assigned the responsibility to compile the information that is needed for this purpose about the procedures in the department in question and to document the information according to the requirements of Art. 30 GDPR. In case of ambiguities regarding the legally required information, the data protection officer may be consulted for advice. The data protection officer must be given a copy of the record of processing activities. Upon request, the company will make the record available to the supervisory authority. The data protection officer is responsible for this in agreement with the company management and cooperates with the supervisory authority.

2.7 Every employee can contact the DPO directly with information, suggestions or complaints; this contact can be kept strictly confidential upon request.

2.8 The DPO reports annually in an activity report to the company management about implemented checks, complaints and, if applicable, any organisational deficiencies still to be rectified. To the extent that the report relates to the processing of personal data or questions of the operational organisation, it will also be made available to the works council.

  1. Procurement/hardware and software

3.1 Hardware and software are generally procured by the central DP purchasing department on request by the person/department making decisions on the processing. In the selection of hardware and software, the principle of the assurance of data protection by technical design and by default is taken into account as a key criterion. The standard operating procedure “Checklist for Compliance with the Requirements for Privacy-by-design/Privacy-by-default” (Annex 1) applies normatively.

3.2 If a new processing procedure for personal data is to be introduced as part of the procurement, the data protection officer has to be informed in good time in advance by the requesting office (for more details, see Sec. 5.2). The procurement will be made only after the DPO has responded. The DPO will provide advice as to whether a data protection impact assessment has to be conducted. Conducting a data protection impact assessment is defined in the standard operating procedure “Risk minimisation by means of data protection impact assessment” (Annex 2).

3.3 Private hardware and software must not be used for the processing of personal data. The business use of private hardware and software at home and in places outside of the company (e.g. on private notebooks) requires approval from the IT department in each specific case.

3.4 The IT department maintains a directory of the hardware and applications in use. The DPO can access the directory at any time.

3.5 The DP department and the DPO must be informed immediately in case it is suspected that hardware and software were stolen, unauthorised access to personal data or sabotage or similar occurred. More details are defined in the standard operating procedure “Conduct in the Event of a Data Breach” (Annex 3).

  1. Obligation/training of employees

4.1 Every employee who handles personal data is subject to the obligation for the confidential treatment of personal data and compliance with this policy.

4.2 The obligation is to be imposed by means of the form intended for this purpose and by the HR department handing out the information leaflet that has been drafted by the DPO.

4.3 Employees who are subject to special confidentiality obligations (e.g. telecommunications secrecy pursuant to Sec. 88 TKG [German Telecommunications Act]) will be obligated additionally in writing by their supervisors. The respective formal obligation is to be included in the personnel files.

4.4 The DPO is to be notified about the obligation of employees and their workplace for the purpose of informing them of further training to be conducted by him/her and the ascertainment of any potential need for control.

4.5 The relevant employees are to receive leave on the dates and for the times of training in agreement with the respective department directors.

  1. Transparency of data processing

5.1 A record of processing activities relating to the handling of personal data is maintained by the data protection officer in accordance with Art. 30 GDPR. The person responsible for a process or the competent data protection coordinator report this promptly according to the requirements defined by the DPO. The same applies to change requests.

5.2 Independently from this report, the DPO is to be informed of the purpose and content of the application and the fulfilment of the reporting duty if there are any plans to introduce new processing activities or change the existing procedures (cf. Sec. 6.3). For standardised data gathering (questionnaires, contests, input fields on the homepage, etc.), the data gathering form and similar must be presented to the DPO for consultation.

5.3 The DPO will inform directly if he/she discovers that the intended processing is subject to a data protection impact assessment. The processing activity may only be performed after the DPO’s agreement. In cases of doubt, the company management will decide.

5.4 If a data subject exercises his/her right of access to his/her data pursuant to Art. 15 GDPR or his/her right of rectification or his/her right to object pursuant to Art. 16 and Art. 21 GDPR, the central processing will be performed by the DPO (in case of companies with regular requests for information, it can also be reasonable to assign the competence to the operational department). Rights of employees to receive information and access are fulfilled by the HR department. It is to be ensured that the data subject can receive his/her data upon request in a structured, common and machine-readable format. The DPO and the IT department are to determine in advance and in mutual agreement which standard meets these requirements. In this regard, the standard operating procedure “Data Portability“ must be observed (Annex 4).

  1. Gathering/processing of personal data

6.1 The gathering and processing of personal data may only take place within the legally permissible limits. For this purpose, the special conditions must also be observed for the gathering and processing of sensitive data according to Art. 9 (1) GDPR. In principle, only such information may be processed and used that is required for the fulfilment of business tasks and which is directly related to the purpose of the processing. Further matters requiring permission, which can legitimate the handling of personal data at the company, are explained in numerous example cases (adjusted to the company) in the standard operating procedure “Handling of Personal Data/Matters Requiring Permission under the GDPR” (Annex 5).

6.2 It is to be ensured that data subjects are not subjected to any decisions, which are based solely on automated processing and simultaneously develop legal effect in relation to the data subject or otherwise cause substantial restrictions for them (e.g. profiling).

6.3 Before new types of procedures for data gathering are introduced, the limited purpose of the data, which is determinant of the permissibility, is to be documented in writing by the persons responsible for the application. A change of the purpose is generally permissible only if the processing is reconcilable with the purposes for which the data were originally gathered. The criteria for consideration that are applied in the context of a change of purpose must be checked one-by-one. The check must additionally be documented on a record consistent with requirements. A catalogue of criteria for this purpose is contained in the standard operating procedure “Compatibility Check for a Change of Purpose” (Annex 6).

This must be observed. A change of purpose is also permissible if consent of the data subject is obtained by the data controller. At the same time, the responsible data processor must define in writing, prior to the gathering or storing of data, whether and in what manner the statutory duty to notify the data subject is to be fulfilled.

6.4 If others request information about data subjects, then this information may be provided without the consent of the data subject only if a statutory obligation for this or a legitimate interest of the company applies, which justifies the transfer, and if the requesting person or entity has been identified without a doubt. In case of doubt, the DPO must be contacted.

  1. Data management/transmission/deletion

7.1 Data are generally stored on the network drives that are provided for this purpose. Storage on mobile data media or in cloud drives (e.g. flash drives, streamers) requires approval from the IT department and registration by the department/user using the data media. When networks are used, the IT department is responsible for the storage of the data that are saved on the server.

7.2 If technical conditions require a different storage location (e.g. notebook, desktop PC), the respective user is personally responsible for the performance of data backups. If network access is available (e.g. for notebooks with WiFi, tablets), the current data stock is to be transferred at least weekly to the network drive reserved for the user. The chosen data backup measures are to be documented in the record of processing activities.

7.3 Statutory retention periods and deletion dates must be observed by the person deciding on the processing of the data under his/her own responsibility. The IT department is to be informed of the adherence to deadlines, especially with regard to the deletion of personal data contained in backup copies.

7.4 When IT components that are no longer required are transferred or returned, the user is obligated to ensure that all data have been effectively deleted beforehand.

  1. External service providers/commissioned data processing/maintenance

8.1 If external service providers are to be contracted for the first time for the processing of personal data or individual processing steps (e.g. gathering, deletion = disposal) or for activities (e.g. maintenance, repair) in the course of which personal data come to their knowledge, the DPO must be informed prior to the contracting by submission of the draft contract satisfying the requirements of Art. 28 GDPR and the criteria of the order control performed or planned in subsequence.

8.2 The same applies if Antriebssysteme FAURNDAU GmbH intends to perform corresponding activities on behalf of third parties.

  1. Security of the processing

9.1 A documented assessment of the protection requirement and an analysis regarding the potential risks for the data subject must be prepared for each processing activity. These are oriented on the kind, scope, circumstances, and purpose of the processing, and on the probability of the occurrence of such a risk.

9.2 A general security concept is to be drafted for the protection of availability, confidentiality and integrity of the data as well as the resilience of the data processing systems. The concept is oriented on the previously drafted assessment of the protection requirement and the risk analysis. This concept applies normatively to all further procedures.

9.3 Besides this policy, supplementing provisions apply, which relate in particular to the measures to be taken for the implementation of the data security principles pursuant to Art. 32 GDPR. This includes, for example:

  • Work instruction on the mailing of data media and encryption of data in compliance with data protection

  • Work instruction on the password procedure

  • Work instruction on the provision of information in HR

  • Work instruction on the use of PCs and laptops

  • Work instruction on telecommuting/home office work

In addition, a number of company agreements define the processing of personal data in more detail. This includes, for example, the agreement

  • on the use of telecommunication systems (telephone, email, internet) at Antriebssysteme FAURNDAU GmbH,

  • the assignment of telecommuting/home office work

  1. Data protection for job applications and on the job application procedure

The data controller gathers and processes the personal data of job applicants for the purpose of completing the job application procedure. The processing can also take place electronically. This is the case in particular if an applicant submits the relevant application documents to the data controller by electronic means, such as email or the online form on the website. If the data controller concludes an employment contract with a job applicant, the transmitted data will be stored in observation of the legal regulations for the purposes of processing the employment contract. If no employment contract is concluded by the data controller with the applicant, the application documents will be deleted two months after the announcement of the decision to decline, provided that no other legitimate interests of the data controller are opposed to the deletion. Other legitimate interest in this sense is, for example, the burden of proof in proceedings under the General Equal Treatment Act (“AGG”).

  1. Principles

The protection of personal data is an important concern to us. We therefore process the personal data of our employees, customers, suppliers and other business partners in compliance with the applicable legal regulations on the protection of personal data and data security.

This Data Privacy Policy describes which types of personal data we gather and how these data are used, to whom they are transmitted, and which options and rights data subjects have regarding our processing of the data. We also describe the measures we use to ensure the security of the data and how data subjects can contact us if they have questions about our data protection practice.

This policy determines the processing of information in compliance with data protection and the existing responsibilities at Antriebssysteme FAURNDAU GmbH. All employees are obligated to comply with this policy.

It addresses

  • the persons or departments deciding on the use/provision of an application system (company management and head of the IT department, including system administrators);

  • the persons or departments deciding on the use of the system for their tasks (this normally affects the operational departments);

  • users, i.e. the ones who use the system that is made available for the completion of their business tasks (when personal data is stored on a desktop computer, the individual user may potentially also decide

on the processing taking place in the system and the programs that are used for this purpose);

  • the company data protection officer (DPO) who advises and checks the implementation of this policy and who is obligated to perform the tasks specifically assigned to him/her.

The following principles apply here:

  • The DP hardware and software are to be used for business tasks, notably for the respectively intended purposes, and must be protected against loss and manipulation. Any use for private purposes requires explicit approval.

  • Each employee is responsible for the implementation of the policy within his/her area of responsibility. He/she must check compliance at regular intervals.

  • The persons overseeing the systems that are used for the processing ensure that the employees (users), including temporary workers reporting to them, are informed of this policy.

  • The data protection officer provides advice on the implementation of the policy and also checks compliance with the policy. To this end, all addressees of the policy are required to provide information to the DPO.

  1. Company data protection officers/data protection coordinators

2.1 In accordance with Article 37 GDPR, Antriebssysteme Faurndau GmbH has appointed a company data protection officer and substitute in case of his/her absence. The DPO performs the tasks assigned to him/her by operation of law and under this policy, in application of his/her expertise and his/her professional qualification, without being bound by instructions.

2.2 The data protection officer informs and advises the company management and employees with regard to their data protection obligations. He/she is responsible for monitoring the compliance with data protection regulations as well as the strategies of the data controller for the protection of personal data, including the assignment of responsibilities, awareness raising and training of employees. With regard to risky data processing activities, the DPO supports the data controller with his/her advice for preparing the risk assessment.

2.3 The DPO reports directly to the company management.

2.4 The DPO is to be involved as early as possible in all matters relating to data protection and the company management, and the employees are to support him/her in the fulfilment of his/her duties.

2.5 The company management appoints a data protection coordinator for the respective organisational unit in agreement with the DPO if this proves to be required based on the organisational conditions (e.g. in case of non-independent external branches). Therefore, the coordinator is an employee who is operationally attributed to the DPO for compliance with the data protection regulations applicable to the company. He/she informs the DPO about data protection issues arising on site. He/she collects information about the processes used separately within his/her area of responsibility and passes on the information to the DPO.

2.6 The a company is required to keep a record of all processing activities. In each operational department, there is at least one person who is assigned the responsibility to compile the information that is needed for this purpose about the procedures in the department in question and to document the information according to the requirements of Art. 30 GDPR. In case of ambiguities regarding the legally required information, the data protection officer may be consulted for advice. The data protection officer must be given a copy of the record of processing activities. Upon request, the company will make the record available to the supervisory authority. The data protection officer is responsible for this in agreement with the company management and cooperates with the supervisory authority.

2.7 Every employee can contact the DPO directly with information, suggestions or complaints; this contact can be kept strictly confidential upon request.

2.8 The DPO reports annually in an activity report to the company management about implemented checks, complaints and, if applicable, any organisational deficiencies still to be rectified. To the extent that the report relates to the processing of personal data or questions of the operational organisation, it will also be made available to the works council.

  1. Procurement/hardware and software

3.1 Hardware and software are generally procured by the central DP purchasing department on request by the person/department making decisions on the processing. In the selection of hardware and software, the principle of the assurance of data protection by technical design and by default is taken into account as a key criterion. The standard operating procedure “Checklist for Compliance with the Requirements for Privacy-by-design/Privacy-by-default” (Annex 1) applies normatively.

3.2 If a new processing procedure for personal data is to be introduced as part of the procurement, the data protection officer has to be informed in good time in advance by the requesting office (for more details, see Sec. 5.2). The procurement will be made only after the DPO has responded. The DPO will provide advice as to whether a data protection impact assessment has to be conducted. Conducting a data protection impact assessment is defined in the standard operating procedure “Risk minimisation by means of data protection impact assessment” (Annex 2).

3.3 Private hardware and software must not be used for the processing of personal data. The business use of private hardware and software at home and in places outside of the company (e.g. on private notebooks) requires approval from the IT department in each specific case.

3.4 The IT department maintains a directory of the hardware and applications in use. The DPO can access the directory at any time.

3.5 The DP department and the DPO must be informed immediately in case it is suspected that hardware and software were stolen, unauthorised access to personal data or sabotage or similar occurred. More details are defined in the standard operating procedure “Conduct in the Event of a Data Breach” (Annex 3).

  1. Obligation/training of employees

4.1 Every employee who handles personal data is subject to the obligation for the confidential treatment of personal data and compliance with this policy.

4.2 The obligation is to be imposed by means of the form intended for this purpose and by the HR department handing out the information leaflet that has been drafted by the DPO.

4.3 Employees who are subject to special confidentiality obligations (e.g. telecommunications secrecy pursuant to Sec. 88 TKG [German Telecommunications Act]) will be obligated additionally in writing by their supervisors. The respective formal obligation is to be included in the personnel files.

4.4 The DPO is to be notified about the obligation of employees and their workplace for the purpose of informing them of further training to be conducted by him/her and the ascertainment of any potential need for control.

4.5 The relevant employees are to receive leave on the dates and for the times of training in agreement with the respective department directors.

  1. Transparency of data processing

5.1 A record of processing activities relating to the handling of personal data is maintained by the data protection officer in accordance with Art. 30 GDPR. The person responsible for a process or the competent data protection coordinator report this promptly according to the requirements defined by the DPO. The same applies to change requests.

5.2 Independently from this report, the DPO is to be informed of the purpose and content of the application and the fulfilment of the reporting duty if there are any plans to introduce new processing activities or change the existing procedures (cf. Sec. 6.3). For standardised data gathering (questionnaires, contests, input fields on the homepage, etc.), the data gathering form and similar must be presented to the DPO for consultation.

5.3 The DPO will inform directly if he/she discovers that the intended processing is subject to a data protection impact assessment. The processing activity may only be performed after the DPO’s agreement. In cases of doubt, the company management will decide.

5.4 If a data subject exercises his/her right of access to his/her data pursuant to Art. 15 GDPR or his/her right of rectification or his/her right to object pursuant to Art. 16 and Art. 21 GDPR, the central processing will be performed by the DPO (in case of companies with regular requests for information, it can also be reasonable to assign the competence to the operational department). Rights of employees to receive information and access are fulfilled by the HR department. It is to be ensured that the data subject can receive his/her data upon request in a structured, common and machine-readable format. The DPO and the IT department are to determine in advance and in mutual agreement which standard meets these requirements. In this regard, the standard operating procedure “Data Portability“ must be observed (Annex 4).

  1. Gathering/processing of personal data

6.1 The gathering and processing of personal data may only take place within the legally permissible limits. For this purpose, the special conditions must also be observed for the gathering and processing of sensitive data according to Art. 9 (1) GDPR. In principle, only such information may be processed and used that is required for the fulfilment of business tasks and which is directly related to the purpose of the processing. Further matters requiring permission, which can legitimate the handling of personal data at the company, are explained in numerous example cases (adjusted to the company) in the standard operating procedure “Handling of Personal Data/Matters Requiring Permission under the GDPR” (Annex 5).

6.2 It is to be ensured that data subjects are not subjected to any decisions, which are based solely on automated processing and simultaneously develop legal effect in relation to the data subject or otherwise cause substantial restrictions for them (e.g. profiling).

6.3 Before new types of procedures for data gathering are introduced, the limited purpose of the data, which is determinant of the permissibility, is to be documented in writing by the persons responsible for the application. A change of the purpose is generally permissible only if the processing is reconcilable with the purposes for which the data were originally gathered. The criteria for consideration that are applied in the context of a change of purpose must be checked one-by-one. The check must additionally be documented on a record consistent with requirements. A catalogue of criteria for this purpose is contained in the standard operating procedure “Compatibility Check for a Change of Purpose” (Annex 6).

This must be observed. A change of purpose is also permissible if consent of the data subject is obtained by the data controller. At the same time, the responsible data processor must define in writing, prior to the gathering or storing of data, whether and in what manner the statutory duty to notify the data subject is to be fulfilled.

6.4 If others request information about data subjects, then this information may be provided without the consent of the data subject only if a statutory obligation for this or a legitimate interest of the company applies, which justifies the transfer, and if the requesting person or entity has been identified without a doubt. In case of doubt, the DPO must be contacted.

  1. Data management/transmission/deletion

7.1 Data are generally stored on the network drives that are provided for this purpose. Storage on mobile data media or in cloud drives (e.g. flash drives, streamers) requires approval from the IT department and registration by the department/user using the data media. When networks are used, the IT department is responsible for the storage of the data that are saved on the server.

7.2 If technical conditions require a different storage location (e.g. notebook, desktop PC), the respective user is personally responsible for the performance of data backups. If network access is available (e.g. for notebooks with WiFi, tablets), the current data stock is to be transferred at least weekly to the network drive reserved for the user. The chosen data backup measures are to be documented in the record of processing activities.

7.3 Statutory retention periods and deletion dates must be observed by the person deciding on the processing of the data under his/her own responsibility. The IT department is to be informed of the adherence to deadlines, especially with regard to the deletion of personal data contained in backup copies.

7.4 When IT components that are no longer required are transferred or returned, the user is obligated to ensure that all data have been effectively deleted beforehand.

  1. External service providers/commissioned data processing/maintenance

8.1 If external service providers are to be contracted for the first time for the processing of personal data or individual processing steps (e.g. gathering, deletion = disposal) or for activities (e.g. maintenance, repair) in the course of which personal data come to their knowledge, the DPO must be informed prior to the contracting by submission of the draft contract satisfying the requirements of Art. 28 GDPR and the criteria of the order control performed or planned in subsequence.

8.2 The same applies if Antriebssysteme FAURNDAU GmbH intends to perform corresponding activities on behalf of third parties.

  1. Security of the processing

9.1 A documented assessment of the protection requirement and an analysis regarding the potential risks for the data subject must be prepared for each processing activity. These are oriented on the kind, scope, circumstances, and purpose of the processing, and on the probability of the occurrence of such a risk.

9.2 A general security concept is to be drafted for the protection of availability, confidentiality and integrity of the data as well as the resilience of the data processing systems. The concept is oriented on the previously drafted assessment of the protection requirement and the risk analysis. This concept applies normatively to all further procedures.

9.3 Besides this policy, supplementing provisions apply, which relate in particular to the measures to be taken for the implementation of the data security principles pursuant to Art. 32 GDPR. This includes, for example:

  • Work instruction on the mailing of data media and encryption of data in compliance with data protection

  • Work instruction on the password procedure

  • Work instruction on the provision of information in HR

  • Work instruction on the use of PCs and laptops

  • Work instruction on telecommuting/home office work

In addition, a number of company agreements define the processing of personal data in more detail. This includes, for example, the agreement

  • on the use of telecommunication systems (telephone, email, internet) at Antriebssysteme FAURNDAU GmbH,

  • the assignment of telecommuting/home office work

  1. Data protection for job applications and on the job application procedure

The data controller gathers and processes the personal data of job applicants for the purpose of completing the job application procedure. The processing can also take place electronically. This is the case in particular if an applicant submits the relevant application documents to the data controller by electronic means, such as email or the online form on the website. If the data controller concludes an employment contract with a job applicant, the transmitted data will be stored in observation of the legal regulations for the purposes of processing the employment contract. If no employment contract is concluded by the data controller with the applicant, the application documents will be deleted two months after the announcement of the decision to decline, provided that no other legitimate interests of the data controller are opposed to the deletion. Other legitimate interest in this sense is, for example, the burden of proof in proceedings under the General Equal Treatment Act (“AGG”).

Let's get in touch

Let's get in touch

Location Göppingen

Your trustworthy partner for individual new products and service, a wide range of services as well as repairs and spare parts:

Antriebssysteme FAURNDAU GmbH

Goethestr. 45

73035 Göppingen-Faurndau

Germany

Phone: +49 (0) 7161 2000-0

Fax: +49 (0) 7161 2000-11

Location Göppingen

Your trustworthy partner for individual new products and service, a wide range of services as well as repairs and spare parts:

Antriebssysteme FAURNDAU GmbH

Goethestr. 45

73035 Göppingen-Faurndau

Germany

Phone: +49 (0) 7161 2000-0

Fax: +49 (0) 7161 2000-11

Location Göppingen

Your trustworthy partner for individual new products and service, a wide range of services as well as repairs and spare parts:

Antriebssysteme FAURNDAU GmbH

Goethestr. 45

73035 Göppingen-Faurndau

Germany

Phone: +49 (0) 7161 2000-0

Fax: +49 (0) 7161 2000-11

© 2023 Faurndau. Created by stilweise ./ sleek.app

English