Data protection information

Responsible offices:

TÜV NORD CERT GmbH 
Am TÜV 1 
45307 Essen 
TÜV NORD CERT

Prüf- und Umweltgutachtergesellschaft mbH 
Am TÜV 1 
30519 Hannover

on the basis of the agreement on the joint responsibility

We hereby inform you about the processing of your personal data by us and the claims and rights to which you are entitled according to the data protection regulations. Which data is processed in detail and how it is used depends largely on the services you have requested or agreed with you.

Responsible offices:

TÜV NORD CERT GmbH
Am TÜV 1 
45307 Essen

TÜV NORD CERT 
Prüf- und Umweltgutachtergesellschaft mbH 
Am TÜV 1 
30519 Hannover

info.tncert@tuev-nord.de 

You can reach our data protection officer:

TÜV NORD AG
Chief Officer for Data Protection 
Am TÜV 1
45307 Essen 
privacy@tuev-nord.de

We process personal data that we receive from you within the scope of our business relationship. In addition, we process - insofar as this is necessary for the provision of our services - personal data which we have received from other companies of the TÜV NORD GROUP or from other third parties (e.g. the credit agency) in a permissible manner (e.g. for the execution of orders, for the fulfilment of contracts or on the basis of consent given by you). On the other hand we process personal data Data that we have obtained and are permitted to process from publicly accessible sources (e.g. debtor lists, land registers, commercial and publishing registers, press, media). 

Relevant personal data are personal details (name, address and other contact data, date and place of birth and nationality), legitimacy data (e.g. identity card data) and authentication data (e.g. signature sample). In addition, this can also include order data (e.g. payment order), data from the fulfilment of our contractual obligations (e.g. turnover data in payment transactions), credit limits, product data, information about your financial situation (creditworthiness data, scoring/rating data), advertising and sales data (including advertising scores), documentation data (e.g. advertising data, advertising data, etc.), data about your financial situation (e.g. creditworthiness data, scoring/rating data), advertising and sales data (including advertising scores), documentation data (e.g. creditworthiness data), data about your customers (e.g. creditworthiness data), data about your customers (e.g. creditworthiness data, scoring/rating data). (e.g. consultation protocol), register data, data on your use of our offered telemedia (e.g. time of access to our websites, apps or newsletters, pages clicked on by us or entries) as well as other data comparable with the aforementioned categories.

We process personal data in accordance with the provisions of the European Data Protection Basic Regulation (GDPR) and the Federal Data Protection Act (BDSG).

The processing of personal data (Art. 4 No. 2 GDPR) is carried out in order to provide testing and certification services and assessment services, in particular for the execution of our contracts or pre-contractual measures with you and the execution of your orders as well as all measures required for the operation and administration of a technical monitoring service providers activities. The purposes of the data processing are primarily based on the specific service (e.g. testing, certification, assessment, auditing, effectiveness analyses, effectiveness and functionality tests). Further details on the purpose of data processing can be found in the relevant contract documents and terms of business.

If necessary, we will process your data beyond the actual fulfilment of a contract in order to protect the legitimate interests of us or third parties. 
Examples:

• consultation of and data exchange with authorities, accreditation bodies (e.g. BAST, DakkS) and accreditation bodies e.g. to fulfil notification obligations;
• application of procedures for demand analysis and direct customer contact;
• advertising or market and opinion research, provided that you have not objected to the use of your data;
• assertion of legal claims and defence in the event of legal disputes;
• ensuring IT security and IT operation;
• prevention and investigation of criminal offences;
• measures for building and plant security (e.g. access controls);
• measures for business management and further development of services and products.

If you have given us your consent to process personal data for specific purposes (e.g. forwarding of data within the TÜV NORD Group, evaluation of customer traffic data for marketing purposes), the legality of this processing is based on your consent. Any consent granted can be revoked at any time. This also applies to the revocation of declarations of consent that were issued prior to the validity of the GDPR, i.e. before 25 May 2018, have been granted to us. Please note that the revocation is only effective for the future. Processing operations that took place before the revocation are not affected.

As TÜV NORD GROUP, we are also subject to various legal obligations, i.e. legal requirements and supervisory regulations. The purposes of processing include identification and age verification, fraud prevention, the fulfilment of tax law control and reporting obligations as well as the assessment and control of risks.

Within the TÜV NORD GROUP, those bodies that need your data to fulfil our contractual and legal obligations will hold it. Order processors employed by us (Art. 28 GDPR) may also receive data for these purposes. These are companies in the categories IT services, logistics, printing services, telecommunications, debt collection as well as sales and marketing. 

With regard to the passing on of data to recipients outside the TÜV NORD GROUP, it must first be noted that, in accordance with the General Terms and Conditions of Business agreed between you and us, we are obliged to maintain secrecy about all customer-related facts and information. valuations of which we become aware (e.g. professional secrecy). We may only pass on information about you if this is required by law, if you have given your consent or if we are or will be authorised to provide information (end of the obligation of secrecy). Under these conditions, recipients of personal data may be, for example:

• Public bodies and institutions where there is a legal or official obligation.
• Other service institutes or comparable institutions to which we transmit personal data for the purpose of conducting business relations with you (depending on the contract: e.g. certification bodies, accreditation bodies).

Other data recipients may be those bodies for which you have given us your consent to the transfer of data or for which you have released us from the confidentiality obligation in accordance with the agreement or consent.

If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract. It should be noted that our business relationship can be a continuous obligation that is valid for years. Furthermore, we are subject to various storage and documentation obligations, which result from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The periods of retention and documentation stipulated there are two to ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB) are generally 3 years, in However, in certain cases, this can take up to thirty years.

Data will only be transferred to third countries (countries outside the European Economic Area - EEA) if this is necessary to execute your orders, if it is required by law or if you have given us your consent. We will inform you separately about the details, if required by law.

Every data subject has the right to information in accordance with Art. 15 GDPR, the right to correction in accordance with Art. 16 GDPR, the right to deletion in accordance with Art. 17 GDPR, the right to restriction of processing in accordance with Art. 18 GDPR and the right to data transferability under Art. 20 GDPR. The right of information and the right to delete shall be subject to the restrictions pursuant to §§ 34 and 35 BDSG. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 GDPR in conjunction with Art. 19 BDSG).

Within the framework of our business relationship, you only have to provide us with the personal data that is necessary for the establishment, execution and termination of a business relationship or that we are legally obliged to collect. Without this data we will have to refuse the conclusion of the contract or the execution of the order or we will no longer be able to execute an existing contract and may have to terminate it. In particular, we are obliged under certain legal regulations to identify you before establishing the business relationship, for example by means of your identity card, and to collect your name, place and date of birth, nationality and address of residence. In order to comply with this legal obligation you must provide us with the necessary information and documents and notify us immediately of any changes arising in the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into the business relationship desired by you.

In order to establish and implement the business relationship, we do not use automated decision making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you of this separately if this is legally required.

• On our website, data is collected and stored for marketing and optimisation purposes. This data can be used to create user profiles under a pseudonym. The collected data will not be used to personally identify the visitor of this website without the special consent of the person concerned and will not be merged with personal data about the bearer of the pseudonym. See also the data protection declaration on our website.
• Within the framework of the assessment of creditworthiness, we reserve the right to carry out scoring for private customers and rating for corporate customers in selected cases. The probability with which a customer will meet his payment obligations in accordance with the contract is calculated. Both the scoring and the rating are based on a mathematically and statistically recognised and proven procedure. The calculated score values support us in our decision making and are included in the ongoing risk management.

Responsible office:

TÜV NORD CERT GmbH 
Am TÜV 1 
45307 Essen 
info.tncert@tuev-nord.de

1. Right of objection on a case-by-case basis

   You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data relating to you on the basis of Article 6 paragraph 1 letter f of the GDPR (data processing on the basis of a weighing of interests); this also applies to profiling within the meaning of Art. 4 No. 4 GDPR based on this provision, which we use to assess creditworthiness or for advertising purposes. If you lodge an objection, we will no longer process your personal data unless we can prove that there are compelling reasons for processing which are worthy of protection and which outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims.

2. Right to object to the processing of data for the purposes of direct advertising

   In individual cases, we process your personal data in order to carry out direct advertising. You have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling, insofar as it is connected with such direct advertising. If you object to the processing for purposes of direct advertising, we will no longer process your personal data for these purposes. The objection can be made informally and should preferably be addressed to: Info.DSGVO.Cert@tuev-nord.de