Data protection declaration
We have prepared this document to inform you about how we process your personal data in connection with the use of our offer.
We are committed to comply with the legal provisions on data protection and always strive to take the principles of data avoidance and data minimisation into account.
1. Name and contact data of data controller and company data protection officer
1.1. Data controller
Baionity GmbH
Owiedenfeldstraße 6
30559 Hannover, Germany
T +49 (511) 898 650 00
Internet: www.baionity.com
2. General information about data processing
2.1. When do we collect and process personal data?
We only collect and process your personal data as a visitor to our website as is necessary to provide a properly functioning website together with its content and services; only data is processed which is actively transmitted to us by way of your entries.
1. You have granted us your consent for the processing of your personal data for one or more purposes, Article 6 para 1 lit. a) GDPR.
2. It is necessary to process your personal data in order to fulfil a contract or for the implementation of pre-contractual measures with you, Article 6 para 1 lit. b) GDPR.
3. The processing of your personal data is necessary in order to safeguard our legitimate interests except where your interests or fundamental rights and freedoms prevail, Article 6 para 1 lit. f) GDPR.
We will provide you with detailed information in this context about the purpose or purposes of processing your personal data and we will also document your express consent to do so.
In a number of different cases your personal data may be processed for example when you visit our website, make an application, contact us, for remote maintenance, processing and fulfilling your orders or their justification, managing your account, improving the design, organisation and functionality of the website and continuously improving our services, providing information about products and services. With respect to the legal basis and for details, we would also refer you to the following notes.
2.2. Visits to our website
When you access our website our system automatically collects data and information about the computer system of the accessing computer. The legal basis for processing is Article 6 para 1 lit. f GDPR.
The following information is recorded without your intervention and is stored until it is automatically erased.
Each time you visit our website the IP address of the requesting computer is saved. Date and time of access, name and URL of the files accessed, the website from which access was made (referrer URL), browser used and, if applicable, the operating system of your computer together with the name of your access provider.
2.3. Applications
Should you apply for a situation vacant offered by us or make an unsolicited application, we shall process your data to action the application process and in order to make a decision on determining an employment relationship. The legal basis for such processing is Article 26 BDSG and subordinately Article 6 para 1 lit. f GDPR.
If we do not consider your application, we delete your application and the submitted documents within three months after our decision. In order to be compliant with our statutory obligations for example in accordance with the German General Equal Treatment Act (AGG), we save the data as described based on our legitimate interests.
By withdrawing your application, you can effectively object to any further processing of your data at any time. Should we establish an employment relationship with you, we shall provide separate information concerning the processing of your data and your rights.
2.4. Contact enquiries
If you send us a message by one of the contact options available (contact form, email address), personal data will be transmitted and stored. We use such data as given to us to process your request and there is no transfer of the data to third parties in this respect.
The legal basis for such actions is our legitimate interest to answer your request in accordance with Article 6 para 1 lit. f) GDPR. If the purpose of your request is to conclude a contract with us, an additional legal basis for data processing is then Article 6 para 1 lit. b) GDPR. Following on from your request and its processing, data will be erased no later than three months after receipt. The data will be erased as soon as it is no longer required to achieve the purpose for which it was collected, e.g. the matter at hand has been fully and finally clarified.
If we are legally obliged to store the data for a longer period of time the data will be erased after the relevant period has expired.
2.5. Newsletter
Should you wish to receive our newsletter, we will guide you through a registration process by email (name, login details, registration data). The legal basis for our offer is your consent in accordance with Article 6 para 1 lit. a) GDPR. You may cancel the newsletter by unsubscribing using the link published in the newsletter. The data subject may cancel the subscription to our newsletter at any time.
The newsletters contain so-called tracking pixels; these are recorded, analysed and statistically evaluated in order to assess online marketing campaigns.
2.6. Evaluation
Your data is not subject to any form of personal evaluation. The statistical evaluation of pseudonymised or anonymised data records for the purpose of improving the website and for statistical purposes (number of users and page views) is stored. The IP data is also kept for reasons of system security.The legal basis for processing is in accordance with Article 6 para 1 lit. f) GDPR
2.7. Customer registration (portal)
If you register on the customer portal, you allow the collection and processing of personal data by Baionity or by third party service providers in the name and on behalf of Baionity on the basis of the applicable data protection provisions. Your personal data (registration data, transaction data) will be processed for the existing contractual relationship.
Within the customer portal you will receive further information on data processing.
The legal basis for this is our contractual relationship pursuant to Art. 6 para. 1 lit. b) DSGVO.
The data will be deleted according to legal retention periods.
3 Rights of data subject
In the event that your personal data is processed, you are considered a data subject in accordance with the GDPR and you have the following rights with respect to us as the responsible party.
3.1. Right to information
In accordance with Article 15 GDPR you have the right to request confirmation from us as to whether we process your personal data. If this is the case you have the right to information about this personal data and also information as specified in Article 15 GDPR.
3.2. Right to rectification
In accordance with article 16 GDPR you have the right to request that we immediately rectify any incorrect personal data relating to you. Reflecting the purpose of processing you also have the right to request the completion of incomplete personal data, also by means of a supplementary declaration.
3.3. Right to erasure
You have the right to request that we erase your personal data with immediate effect. We are obliged to erase personal data immediately if the relevant requirements of Article 17 GDPR are met.
3.4. Right to restriction of processing
In accordance with Article 18 GDPR you have the right under certain circumstances to request that we restrict the processing of your personal data.
3.5. Right to data portability
In accordance with Article 20 GDPR, you have the right to receive your personal data as provided by you to us in a structured, commonly-used electronic form and you further have the right to give this data to another person, another data controller without hindrance from us insofar as processing is based on authorisation in accordance with Article 6 para 1 lit. a GDPR or Article 9 para 2 lit. a GDPR or based on a contract in accordance with Article 6 para 1 lit. b GDPR whereby processing takes place aided by automated processes.
3.6. Right to object
In accordance with Article 21 GDPR you have the right to object to the processing of your personal data as may be taking place in accordance with Article 6 para 1 lit. e or lit. f GDPR; this also applies to any profiling taking place based on these provisions.
If you would like to exercise such right please contact us in our role as the data controller using the contact details provided above or use one of the other options offered to send us your message.
If you wish to withdraw your consent to the processing of personal data in accordance with Article 7 para 3 GDPR, send us an email with the subject “Withdrawal of consent”.If you have any questions, please contact us.In such case, all personal data saved in the course of contacting us will be erased provided there are no legitimate interests in blocking it.
3.7. Right to lodge a complaint with the supervisory authority
In accordance with Article 77 GDPR you have the right to lodge a complaint with the supervisory authority. This right exists in particular in the EU member state of your residence, your place of work or the place of the alleged violation if you believe that the processing of your personal data is in violation of the GDPR.
Our competent supervisory authority is:Die Landesbeauftragte für den Datenschutz Niedersachsen (Data protection authority of the state of Lower Saxony)
Internet link: www.lfd.niedersachsen.de.
4. Security measures to protect your data
4.1. Protection of your privacy
We are committed to protecting your privacy and treating your personal data confidentially. We have taken extensive technical and organisational precautions to prevent manipulation, loss or misuse of your data stored by us. These actions are checked regularly and adapted in accordance with technological progress.
If we collect data, we (or our data processors) process your data on specially protected servers in the EU. In accordance with authorisation management, access is only granted to a small number of authorised persons who are responsible for technical, commercial or editorial support.
4.2. Encryption of website communication
It is pointed out at this time that it is possible, due to the structure of the internet, for rules of data protection and the above-mentioned security measures to be ignored by persons or institutions lying outside of our control.
With respect to security reasons and in order to protect the transmission of confidential content such as inquiries you send us as the website operator, this website uses SSL encryption. An encrypted connection/link is identified by the following information in the address line of the browser, which changes from “http://” to “https://” and by the lock symbol in your browser line.
If SSL encryption is activated, the data that you transmit to us cannot be read by third parties.
4.3. Unencrypted communication
It is possible for third parties to read unencrypted data transmissions, for example data sent in unencrypted emails. We have no technical influence on this matter. It is your responsibility to protect the data within your area of control against misuse by way of encryption or some other means.
5. Amendments to this policy
You are advised that we may update this data protection policy from time to time by publishing a new version thereof on our website. We may also inform you about such changes by email.
V.03_18.02.2020 adaption of data protection policy to GDPR
Supplementary data protection declaration (customer portal)
This information supplements the privacy policy our website for the use of our customer portal within our contractual relationship.
2.7. Customer registration (portal):
We only process personal data if this is necessary within the framework of the contract processing, for example to the credit institution commissioned with the payment processing or for interaction with you.
Your data will not be passed on to third parties without your express consent, for example for advertising purposes.
The legal basis for data processing is Art. 6 para. 1 lit. b) GDPR.
The data will be deleted after legal retention periods.We use Klaro, a cookie content management tool, on our website. The service provider is KI Protect GmbH, Bismarkstraße 10-12, 10625 Berlin, Germany, with whom we have concluded an order processing contract (DPA). For more information about Klaro, please see the Klaro data processing privacy policy: https://heyklaro.com/resources/privacy
The legal basis for data processing is Art. 6 para. 1 lit. c) GDPR, § 26 TTDSG.
The data will be deleted after legal retention periods.
2.8 Baionity platform
The Baionity platform is operated on the Microsoft Azure West Europe cloud service. The Microsoft Azure West Europe Cloud servers are stationed exclusively in Europe. Provider is Microsoft Corporation, One Microsoft Way, 98052-6399 Redmond WA, United States of America (Microsoft Azure) with whom we have concluded an order processing contract and EU standard data protection clauses.
The legitimate interest is the error-free functioning of the customer portal.You can find more information about the Microsoft Azure Cloud in the Microsoft privacy policy: https://www.microsoft.com/de-de/trust-center.Legal basis for data processing is Art. 6 para. 1 lit. b) GDPR
The data will be deleted after legal retention periods.
2.9. Content Delivery Network (CDN)
To increase the security and delivery speed of our website, we use the Content Delivery Network (CDN) of Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich Germany (Cloudflare).
in CDN is a network of distributed servers that is able to deliver optimised content to the website user. For this purpose, personal data may be processed in server log files by Cloudflare.
A contract in accordance with Art. 28 GDPR with EU standard contractual clauses has been concluded for this purpose.The legal basis is Art. 6 para. 1 lit f) GDPR.
You have the right to object to the processing, as the processing is neither legally nor contractually required. The functionality of the website is not guaranteed without the processing.For more information on Cloudflare’s data protection, please visit:https://www.cloudflare.com/privacypolicy/
2.9 Payment transactions
We offer the option of processing the payment transaction via the payment service provider Stripe, ℅ Legal Process, 510, Townsend St., San Francisco, CA 94103 (Stripe). This is in line with our legitimate interest in offering an efficient and secure payment method. In this context, we share data with Stripe to the extent necessary for the performance of the contract. Your data will be stored by us until the completion of the payment processing. This includes the period required for processing refunds, claims management and fraud prevention.
Stripe acts as a processor to carry out transactions within the payment networks. A contract in accordance with Art. 28 GDPR with EU standard contractual clauses has been concluded for this purpose.The legal basis is Art. 6 para. 1 lit b) GDPR.
A statutory retention period of 10 years applies to us in accordance with § 147 AO / § 257 HGB.
You can find more information on Stripe’s data protection at: https://stripe.com/privacy-center/legal
2.10.1 Customer interaction with Crisp
For better communication with our customers, we use the chat software Crisp, 149 Rue Pierre Semard, 29200 Brest, France.
In our customer portal you will find the blue Crisp chat box. For the operation of a chat session or use of its functions (e.g. messages), cookies are set, without which communication with us will not work. A contract in accordance with Art. 28 DSVGO has been concluded with Crisp for this purpose.The legal basis is Art. 6 para. 1 lit f) GDPR.
After a session without using the chatbox, the log files are automatically deleted after 30 minutes.
You have the right to object to the processing, as the processing is neither legally nor contractually required. Chat communication is not possible without consent.You can find more information about Crisp’s data protection at: https://crisp.chat/de/privacy/
2.10.2 Customer interaction with haash
For better communication with our customers, we use the helpdesk-plugin from haash.io, 149 Rue Pierre Semard, 29200 Brest, France. Headquarters is Ashburn, Virginia, United States
In our customer portal, you will find the red FAQ box. Cookies are set for the use of the knowledge database and its functions, without which communication with us will not work.
A contract in accordance with Art. 28 GDPR has been concluded with haash.io for this purpose.
The legal basis is Art. 6 para. 1 lit f) GDPR.
After a session without using the FAQ box, the log files are automatically deleted after 30 minutes.
You have the right to object to the processing, as the processing is neither legally nor contractually required. FAQ-Box is not possible without consent. You can find more information on data protection from haash at: https://faq123.haash.io/privacy
3. Right of the data subject
You can find your rights as a data subject here: https://www.baionity.com/data-privacy/