The following information explains how we process your personal data, and which rights and claims you have according to the data protection regulations. What personal data is used and how it is used depends on the type of services, which have been agreed with you, or required.
1. Who is responsible for data processing?
TÜV NORD Akademie GmbH & Co. KG
Große Bahnstr. 31
Contact details of our Data Protection Officer:
Mr. Berthold Weghaus
TÜV NORD AG
Am Technologiepark 1
2. Which sources and data are used?
We process personal data that we received from you in the context of our business relationship. On the one hand, we process personal data that we have permissibly obtained (e.g. to execute orders, to fulfill contracts or by your given consent) by other companies of the TÜV NORD GROUP or by any other third party (e.g. credit agency), as far as necessary, for the delivery of our service. On the other hand, we may process personal data that we have permissibly obtained from sources accessible to the public (e.g. debtors´ list, land registers, register of companies and associations, press and media).
Personal data includes information such as name, address and other contact details, date and place of birth). It may also include order data (e.g. payment order), data resulting from the performance of our contractual obligations (e.g. sales data in transactions), credit line, product data, information concerning your financial situation (creditworthiness data, rating data), marketing and sales data (including direct marketing), documentation data (e.g. advice record), register data, data relating to your usage of our provided telecommunication media (e.g. the time you access our websites, apps or newsletter, clicked websites or postings) and other data similar to these types.
3. The purpose for which we process your personal data and on which legal base
We process personal data in compliance with the General Data Protection Regulation (GDPR) and the German Federal Protection Act (Bundesdatenschutzgesetz – BDSG).
3a. Processing for the performance of contractual obligations (Art. 6(1)(b) GDPR)
The processing of personal data (Art. 4(2) GDPR) is necessary for the performance of training services, testing and certification services and for advisory businesses, especially the contract fulfilment or pre-contractual measures at your request and for executing your orders and all activities that are necessary in connection with the operation and management. The purpose of data processing mainly depends on the particular service (e.g. training, testing, certification and auditing) and may include needs analysis and consulting. You can find further details on the purpose of data processing in the relevant contractual documents and general terms.
3b. Legitimate interests (Art. 6(1)(f) GDPR)
We process your personal data beyond the contract fulfilment itself, when needed, for safeguarding our or the legitimate interests of third parties.
- Consultation and sharing of data with public authorities and accreditation bodies (e.g. BAST, DakkS) for the determination of default risks;
- Analysing and optimising of procedures for needs analysis and direct customer approach;
- Advertising or market research, provided you have not objected to the use of data;
- Exercising legal rights and defence in legal disputes;
- Safeguarding IT security and IT operations;
- Preventing and solving crimes;
- Video surveillance helps collecting evidences in case of offences or transactions and payments e.g. at ATMs. They serve protecting the customers and employees and perceiving the domiciliary right;
- Measures to ensure the security of buildings and installations (e.g. access control);
- Measures to safeguard the domiciliary right;
- Business management and measures to develop services and products.
3c. Consent of the data subject (Art. 6(1)(a) DSGVO)
The lawfulness of processing data is based on your consent, provided that you have given us a consent to process data for specific purposes (e.g. data transmission in the TÜV NORD GROUP, evaluation of customer traffic data for marketing purposes). You may revoke your consent at any time. This shall also apply to revocations of consents given to us before the GDPR came into force on 25 May 2018. Please note that the revocation only applies with effect for the future. Data processing that took place before the revocation of consent is not affected.
3d. Satisfying legal regulations (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR)
Moreover, as a group company of the TÜV NORD GROUP we are subject to various legal obligations, i.e. legal and supervisory requirements. The purposes of processing include the identity and age verification, fraud prevention, the performance of checking and reporting requirements as well as the evaluation and controlling of risks.
4. Who are the recipients of my data?
Your data is shared within the TÜV NORD GROUP with those departments, which need your data for the performance of our contractual and legal obligations. Our contracted processors (Art. 28 GDPR) may also receive data for any of these purposes. These are companies in the categories IT services, logistics, printing services, telecommunications, debt collection, advisory and consulting, and marketing and sales.
Regarding forwarding data to third parties outside the TÜV NORD GROUP, we are obliged to keep confidential all customer-related facts and assessments (inter alia professional secrecy). We are only allowed to transfer your data if it is required by legal regulations, if you give consent, or if we are or will be authorised to provide information (release from the confidentiality). In the light of the above, we may transfer your data to:
- public authorities and institutions in the event of a legal or regulatory obligation.
- other service providers or similar institutions to which we transmit your personal data to perform the business relationship (depending on the contract: e.g. respondent institutions, certification bodies, accreditation bodies).
Further data receiver may be those authorities or bodies, for which you have given us your consent to transmit your data or for which you have released us from professional secrecy upon your agreement or consent.
5. Is personal data transmitted to a third country or to an international organisation?
Data is only transmitted to third countries (countries outside the European Economic Area – EEA), if
- necessary for performing your orders,
- required by law or
- you have given your consent.
We will contact you about details separately, if required by law.
6. Duration of storage of personal data
We store and process your personal data, where required, for the duration of our business relationship, which includes e.g. contract initiation and implementation. Note, however, that our business relationship can be a continuing obligation for several years. Furthermore, we are subject to various storage and documentation obligations, which arise from the German Commercial Code (Handelsgesetzbuch – HGB) and the German Fiscal Code (Abgabenordnung – AO). The time limits set in these for storage or documentation are two to ten years. Lastly, the storage period also depends on the legal limitation periods, which is generally three years, in certain cases up to thirty years in accordance with Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB).
7. What are my data protection rights?
Every data subject shall have
- the right to access in accordance with Art. 15 GDPR,
- the right to rectification in accordance with Art. 16 GDPR,
- the right to erasure in accordance with Art. 17 GDPR,
- the right to restriction of processing in accordance with Art. 18 GDPR and
- the right to data portability in accordance with Art. 20 GDPR.
The restrictions in accordance with the Sections 34 and 35 BDSG apply to the right to access and the right to erasure. Furthermore, the data subject have
- the right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG).
8. Is the data subject obliged to provide data?
For our business relationship, you only have to provide data, which is necessary for the justification, the performance and the termination of a business relationship, or in cases for which we are legally required to collect data. Without this, we generally have to reject the execution of the contract or the performance of the order, or we can no longer fulfil the terms of the existing contract, when appropriate, we have to terminate the contract.
Especially due to supervisory regulations, we are obliged for the justification of the business relationship to identify your person by means of your identity card. We have to collect your name, your birth date and place, your nationality and your address. To fulfil these legal obligations you have to provide all the information and documentations required and indicates immediately all amendments, which occur in the course of the business relationship. If you do not provide all the information and documentations required, we must not enter into or continue your required business relationship.
9. Automated decisions on a case-by-case basis
In principle, we do not use automated decisions in accordance with Art. 22 GDPR for the justification and the performance of the business relationship. If we apply these procedures on a case-by-case basis, we will contact you separately where legally required.
10. To what extent is data used for profiling (scoring)?
We can process automatically your data with the objective to evaluate specific personal aspects (profiling). We use profiling e.g. in the following cases:
- We use tools for evaluation in order to provide targeted information on products. These tools allow an appropriate communication and advertising, including market and opinion research.
- For the purposes to assess your creditworthiness, we use scoring in the case of private customers and rating in the case of corporate customers. The probability is calculated, whether the customer is able to meet the contractual payment obligations.
Scoring and rating are both based on a proven and recognised mathematical and statistical method. The calculated score values assist in making decisions and are used for the ongoing risk management.
Right to object in accordance with Art. 21 General Data Protection Regulation (GDPR)
1. Individualised right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning your person which is based on point (f) of Article 6(1) GDPR (processing data on the basis of legitimate interests), including profiling which we use for credit rating or for advertising purposes based on those provisions in accordance with Article 4(4) GDPR.
If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
2. Right to object to direct marketing
In individual cases, we process your personal data for direct marketing. You have the right to object at any time to processing of personal data concerning your person for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you file an objection to processing for direct marketing purposes, we will no longer process your personal data for such purposes.
You can file an informal objection to:
TÜV NORD Akademie GmbH & Co. KG
Große Bahnstr. 31