Dear Sir or Madam,
the purpose of this data protection notice is to inform you about how Sternico GmbH processes your personal data and about your rights as a data subject under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) since May 25, 2018.
Controller responsible for processing your personal data
Sternico GmbH
Dreimännerstraße 5
38176 Wendeburg
Phone: +49 (5303) 9794 – 0
Fax: +49 (5303) 9794 – 220
Email: mail@sternico.com
Data protection officer
You can contact our data protection officer by email at: datenschutz@sternico.com
Information for business partners (customers, suppliers, service providers, etc.)
Data source
You generally provide us with your personal data when you place an order or as part of our business relationship. This means that we collect your personal data directly from you.
However, we may also process personal data that we have not collected ourselves. The source of the data may be public. These are:
- the results of an internet search
- trade and association registers
- the press
Furthermore, in certain cases we may receive your personal data from third parties, which do not constitute public sources. These include:
- Public authorities
Public authorities occasionally forward your personal data to us in order to enable us to process your requests and provide the associated service.
- Our business partners
Companies affiliated with us under a business relationship occasionally forward your personal data to us in order to enable us to process your requests and provide the associated service.
Purposes and legal basis of data processing
We process your personal data exclusively in accordance with the legal requirements of the GDPR, the BDSG and any relevant sector-specific laws. Therefore, we process your data if there is a contractual basis for doing so, to protect our legitimate interests, if you have given us your consent to process the data or if a law permits or obliges us to process your data.
Data processing for the purpose of fulfilling a contract or implementing pre-contractual measures
We process your personal data to the extent necessary for the implementation of pre-contractual measures, for the conclusion of the contract, the execution of the contract and the termination of the contractual relationship. In addition to the data of the service you have ordered or the goods you have ordered, this includes your first name, your last name, your customer number, your business address, your business bank details, your position in the company and your details on the supplier master sheet. To ensure and guarantee the smooth running of our business relationship, as well as for access to our systems, we also process your personal access data and your e-mail correspondence with us.
In order to enable you to properly execute the contract and to contact you as quickly as possible in the event of any queries or problems, for example, we also process your address, your telephone or mobile phone number and your e-mail address, insofar as you have provided us with this information for this purpose.
The legal basis for data processing for the performance of a contract and the implementation of pre-contractual measures is usually Article 6 para. 1 lit. b GDPR.
Data processing for the purpose of safeguarding the legitimate interests of the controller or a third party
We also process your data to the extent necessary to safeguard our legitimate interests or the legitimate interests of a third party. The processing we carry out on the basis of a legitimate interest regularly includes direct advertising for our own products, the creation of internal statistics, the investigation of criminal offences, measures to ensure the proper operation of our IT infrastructure, and the transmission of your personal data to credit agencies to check your creditworthiness.
The legal basis for data processing for the purposes of the legitimate interests pursued by the controller or by a third party is Article 6 para. 1 lit. f GDPR.
Data processing for compliance with a legal obligation
We also process your data if this is necessary to fulfil a legal obligation to which we are subject. The obligations we have to fulfil include, in particular, the retention requirements under tax and commercial law and the obligations under the anti-terrorism regulations (EC) 2580/2001 and No. 881/2002.
The legal basis for processing for the purpose of fulfilling a legal obligation is Article 6 para. 1 lit. c GDPR in conjunction with the relevant legal norm.
Data processing based on consent and for other purposes
We may process your personal data if you have given your express consent to do so (see Art. 6 para. 1 lit. a GDPR). In these cases, we will provide you with additional data protection information separately as part of the consent procedure. You can revoke your consent at any time using the contact details given above.
If you have given us your consent to receive our newsletter, your personal data will be processed on the basis of this consent exclusively for the purpose of sending you the newsletter.
If we process your personal data in the future for other purposes not listed in this data protection notice, we will inform you of this separately in accordance with the legal requirements.
Categories of recipients of personal data
External service providers and affiliated companies
Our external service providers and our affiliated companies that carry out data processing on our behalf are, to the extent required by law, contractually obliged to treat personal data in accordance with the applicable regulations within the meaning of Art. 28 GDPR. Insofar as these companies come into contact with your personal data, we have taken legal, technical and organizational measures and carry out regular checks to ensure that they comply with data protection laws.
Third parties
We will provide your personal data to the authorities if necessary, if this is required by our legal reporting obligations. In addition, your personal data will be transmitted to our tax advisor and auditor, as well as to credit institutions for the legitimation of account authorizations and within the framework of the Money Laundering Act (GwG), insofar as this is necessary for their activities.
Data transfer to a third country
In principle, we do not transfer your personal data to a third country or to an international organization outside the European Economic Area (EEA). Should we make such a transfer in individual cases, this will only be to third countries for which an adequacy decision has been made by the European Commission or for which the adequate level of data protection has been ensured by appropriate or suitable guarantees (e.g. Binding Corporate Rules or EU standard contractual clauses).
Duration of data storage
We only store your personal data for the duration for which it is required for the purposes mentioned above and for the period during which we must potentially expect the assertion of legal claims against us. The statutory limitation period for such claims can be between three and thirty years in individual cases.
In addition, we store your personal data insofar as we are obliged to do so within the framework of the statutory obligations to provide evidence and to retain data (e.g. in accordance with the German Commercial Code, the German Fiscal Code or the German Money Laundering Act). The statutory retention periods can be up to ten years. Furthermore, in exceptional cases, there may be special obligations to provide evidence that make it necessary to store your personal data for a longer period of time.
Information for applicants
Source of the data
Generally, you provide us with your personal data with your application. We collect your personal data directly from you.
However, we may also process personal data that we have not collected ourselves. The source of the data may be public. These are:
HR service providers
We occasionally commission HR service providers to find suitable personnel to fill vacancies. Your application documents will be forwarded to us in order to continue the application process.
Professional social networks
We use professional social networks such as XING or LinkedIn to find suitable personnel to fill vacancies and to contact these people if necessary.
Employment agency
We may receive your application and thus your personal data from the employment agency to fill vacancies in our company that are advertised there.
Universities/higher education institutions
We may receive your application documents and thus your personal data from your university/higher education institution for the purpose of filling a vacancy in our company.
Furthermore, in certain cases, we may receive your personal data from third-party, non-public sources. These are:
HR service providers
We occasionally hire recruitment agencies to find suitable personnel to fill vacancies. Your application documents will be forwarded to us in order to continue the application process.
Professional social networks
We use professional social networks such as XING or LinkedIn to find suitable personnel to fill vacancies and to contact these people if necessary. Furthermore, our application portal offers the option of importing your CV and other data from a professional social network. Accordingly, your personal data is not collected directly from you, but comes from the professional social network.
Employment agency
We may receive your application and thus your personal data from the employment agency for filling vacancies in our company that are advertised there.
Universities/higher education institutions
We may receive your application documents and thus your personal data from your university/college for filling a vacancy in our company.
Purposes and legal basis of data processing
We process your personal data exclusively in accordance with the legal requirements of the GDPR, the BDSG and any relevant sector-specific laws. Therefore, we process your data for the purpose of carrying out the application process or if you give us your consent to process the data.
Data processing for the purpose of carrying out the application process
We process your personal data to the extent necessary for the application process. This includes your contact details (surname, first name, postal address, telephone number, email address), your complete application documents (such as photo, CV, certificates, references) and all data that you disclose to us during the application process. The legal basis for data processing for the purpose of the employment relationship is usually Article 6 para. 1 lit. b GDPR, Article 88 GDPR in conjunction with Section 26 BDSG.
Data processing for the fulfilment of a legal obligation
We process your data to the extent necessary to fulfill a legal obligation to which we are subject as a company. In particular, our obligations under the anti-terrorism regulations (EC) 2580/2001 and No. 881/2002. For the purpose of fulfilling this legal obligation, your data will be compared with the so-called “EU terror lists”.
The legal basis for processing for the purpose of fulfilling a legal obligation is Article 6 para. 1 lit. c GDPR in conjunction with the relevant legal norm.
Data processing based on consent
We may process your personal data if you have given your express consent (see Article 6 para. 1 lit. a GDPR). In these cases, we will provide you with additional data protection information separately as part of the consent procedure. You can revoke your consent at any time using the contact details given above.
If we process your personal data in the future for further purposes not listed in this data protection notice, we will inform you of this separately in accordance with the legal requirements.
Categories of recipients of personal data
External service providers and affiliated companies
Our external service providers and our affiliated companies that carry out data processing on our behalf are, to the extent required by law, contractually obliged to treat personal data in accordance with the applicable regulations within the meaning of Art. 28 GDPR. Insofar as these companies come into contact with your personal data, we have ensured through legal, technical and organizational measures, as well as through regular controls, that they comply with the provisions of data protection laws.
Third parties
We will provide your personal data to the authorities if necessary, if this is required by our legal reporting obligations. Furthermore, we may provide your personal data in the form of your application to our customers if your services are required in the context of a project for one of our customers.
Data transfer to a third country
In principle, we do not transfer your personal data to a third country or to an international organization outside the European Economic Area (EEA). Should we make such a transfer in individual cases, this will only be to third countries for which an adequacy decision has been made by the European Commission or for which the adequate level of data protection has been ensured by appropriate or suitable guarantees (e.g. Binding Corporate Rules or EU standard contractual clauses).
Duration of data storage
We only store your personal data for the duration of the application process, as well as for the period during which we may potentially have to expect the assertion of legal claims against us. The statutory limitation period for such claims in the context of the application process is 6 months after the application process has ended.
If you have given us your consent to process your data, your data will be processed until you withdraw your consent.
If an employment relationship arises from your application, the retention periods for employee data apply accordingly.
Information for employees
Source of the data
Generally, we collect your personal data directly from you, via our personnel questionnaire at the start of your employment.
However, we may also process personal data that we have not collected ourselves. In this case, the source of the data may be public. These are:
Insurance companies (e.g. pension insurance)
We may receive personal data about you from your insurance companies, in particular your pension insurance company, in order to provide the necessary services within the scope of the employment relationship.
Health insurance companies
We may receive personal data about you from your health insurance company in order to provide the necessary services in the context of the employment relationship.
Temporary placement agency
If you are employed by us as a temporary employee, we generally receive your personal data from the temporary placement agency that we have commissioned to provide you.
Temporary employment agency
If you are employed by us as a temporary worker, we usually receive your personal data from the temporary employment agency that we have commissioned and which provides you.
Purposes and legal basis of data processing
We process your personal data exclusively in accordance with the legal requirements of the GDPR, the BDSG and any relevant sector-specific laws. Therefore, we process your data if an employment relationship exists, we have a legitimate interest in processing your data, you have given us your consent to process the data or a law allows or obliges us to process your data.
Data processing for the purpose of the employment relationship
We process your personal data to the extent necessary for the performance of the employment relationship. This includes, among other things, personal information (e.g. your first and last name, your address, your telephone/mobile number, your email address, your bank details), information about your employment (e.g. your job title, your highest school-leaving qualification), tax information (e.g. your ID number, your tax bracket) and social security (e.g. your health insurance company), your salary and payroll data, personal information such as the number of children, data on severe disabilities, other data from the personal questionnaire or from your application documents, information on employment (e.g. illness data, interview records, personnel development information, employee evaluations).
The legal basis for data processing for the purpose of the employment relationship is usually Article 6 para. 1 lit. b GDPR, Article 88 GDPR in conjunction with Section 26 BDSG.
Data processing for the purpose of protecting the legitimate interests of the controller or a third party
We also process your data to the extent necessary to protect our legitimate interests or the legitimate interests of a third party. The processing we carry out on the basis of a legitimate interest regularly includes the compilation of internal statistics, the investigation of criminal offenses, and measures to ensure the proper operation of our IT infrastructure.
The legal basis for data processing to protect the legitimate interests of the controller or a third party is Article 6 para. 1 lit. f GDPR.
Data processing to fulfill a legal obligation
We also process your data if this is necessary to fulfill a legal obligation to which we are subject. The obligations we have to fulfill include, in particular, the tax and commercial law retention requirements, as well as the obligations of the social security codes and the obligations of the legal regulations on the topics of occupational safety, fire protection, compliance and data protection.
The legal basis for processing for the purpose of fulfilling a legal obligation is Art. 6 para. 1 lit. c GDPR in conjunction with the relevant legal norm.
Data processing based on consent and for other purposes
We also process your personal data if you have given your express consent to do so (see Art. 6 para. 1 lit. a GDPR). In these cases, we will provide you with additional data protection information as part of the consent procedure. You can revoke your consent at any time using the contact details given above.
If we process your personal data in the future for other purposes not listed in this data protection notice, we will inform you of this separately in accordance with legal requirements, if applicable.
Categories of recipients of personal data
External service providers and affiliated companies
Our external service providers and our affiliated companies that carry out data processing on our behalf are, to the extent required by law, contractually obliged to treat personal data in accordance with the applicable provisions within the meaning of Article 28 of the GDPR. Insofar as these companies come into contact with your personal data, we have ensured through legal, technical and organizational measures, as well as through regular controls, that they comply with the provisions of data protection laws.
Third parties
We will provide your personal data to the authorities if necessary, if this is required by our legal reporting obligations. In addition, your personal data will be transmitted to our tax consultant and, if necessary, to our auditor, provided that this is necessary for their work.
Furthermore, we may transfer your personal data to our customers in order to ensure the implementation of the corresponding projects. In addition, your personal data will be transferred to our tax advisor for the purpose of carrying out the accounting.
Furthermore, the following bodies may receive personal data from you:
Various offices (e.g. integration office, tax office)
Various insurance companies and, if applicable, consultants of MLP SE
Health insurance
Pension insurance
Various companies where you are deployed for projects
Authorities within the EU for issuing A1 certificates for business trips
Company doctor, occupational safety specialist, data protection officer
Law firms
Professional association
Data transfer to a third country
As a matter of principle, we do not transfer your personal data to a third country or to an international organization outside the European Economic Area (EEA). Should we make such a transfer in individual cases, this will only be to a third country for which an adequacy decision has been made by the European Commission or for which an adequate level of data protection has been ensured by means of appropriate or suitable guarantees (e.g. Binding Corporate Rules or EU standard contractual clauses).
Duration of data storage
We only store your personal data for the duration for which the processing of your data is necessary for the employment relationship, as well as for the period during which we must potentially expect the assertion of legal claims against us. The statutory limitation period for such claims can be between three and thirty years in individual cases.
In addition, we store your personal data insofar as we are obliged to do so within the scope of the statutory obligations to provide evidence and to store data (e.g. in accordance with the German Commercial Code, the German Fiscal Code or the German Money Laundering Act). The statutory retention periods can be up to ten years. Furthermore, in exceptional cases, there may be special obligations to provide evidence that make it necessary to store your personal data for a longer period of time.
Rights of the data subjects
As a data subject, you have the following rights with respect to us in accordance with Art. 15 ff. of the GDPR. Please contact us by email at datenschutz@sternico.com. Alternatively, please send us your request by post to the above address.
Right to information
You have the right to request information from us about whether we process personal data concerning you. If this is the case, you have the right to request information from us about this personal data.
Right to rectification
You have the right to request that we correct inaccurate personal data concerning you.
Right to erasure
In certain cases, you have the right to demand that we delete personal data concerning you without delay.
Right to restriction of processing
In certain cases, you have the right to demand that we restrict the processing.
Right to data portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.
Right to object to data processing in accordance with Article 21 of the GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. If we use your data for direct marketing purposes, you can object to this at any time.
Right to withdrawal
If you have given us permission to use personal data, you can revoke this permission at any time.
Right not to be subject to a decision based solely on automated processing, including profiling
If we use your personal data to make a decision about you that is based solely on automated processing, you have the right to request that this decision not be made solely by automated means.
Right to lodge a complaint with the data protection supervisory authority
Furthermore, you have the right to lodge a complaint with the competent data protection supervisory authority regarding the processing of your personal data. The data protection supervisory authority responsible for us is:
The State Data Protection Officer for Lower Saxony
Prinzenstraße 5
30159 Hannover
Tel.: +49 (511) 1204500
Email: poststelle@lfd.niedersachsen.de
If you have any further questions or comments, please do not hesitate to contact us or our data protection officer.
Last updated: September 2024