Data privacy statement

Data privacy statement
Thank you for your interest in our company. Data privacy is of great importance for the management of HIRTLER RE GMBH. Use of the Internet pages of HIRTLER RE GMBH is possible in principle without stating any personal data. If a data subject would like to make use of special services provided by our company however, it may be necessary to process personal data. If the processing of personal data is required and there is no legal basis for the processing, we generally obtain consent from the data subject.

The processing of personal data, for example the name, address, e-mail address or telephone number of a data subject, is always in line with the General Data Protection regulation and in accordance with the specific regional data privacy regulations applicable to HIRTLER RE GMBH. Through this data privacy statement, our company would like to inform the public about the type, scope and purpose of the personal data we collect, use and process. In addition, data subjects are instructed in this data privacy statement about their due rights.

HIRTLER RE GMBH as the party responsible for the processing has implemented many technical and organisational measures to ensure the most comprehensive possible protection of the personal data processed through this website. Even so, Internet-based data transmission can have security gaps so that absolute protection cannot be guaranteed. For this reason, every data subject has the option of conveying personal data to us through alternative channels, for example by telephone.

1.Terminology
The HIRTLER RE GMBH data privacy statement is based on the terminology used by the European regulatory authorities when issuing the General Data Protection Regulation (GDPR). Our data privacy statement set out to be easily readable and understandable both for the public and for our customers and business partners. To ensure this, we would like to explain the terminology used in advance. Our data privacy statement includes the following terms:

a) Personal data
Personal data is all information that refers to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if they can be identified directly or indirectly, especially through attribution of a reference such as a name, reference number, location details, online references or one or more special features that express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.

b) Data subject

An affected person is any identified or identifiable natural person whose personal data is processed by those responsible for processing.

c) Processing
Processing is any procedure or series of procedures carried out in connection with personal data, with or without the help of automated processes, such as collection, compiling, organisation, ordering, storage, adaptation or amendment, reading, enquiring, use, disclosure through transmission, spreading or other form of provision, comparison or linking, restriction, deletion or destruction.

d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of restricting its future processing.

e) Profiling
Profiling is every kind of automated processing of personal data that consists in this personal data being used to evaluate certain personal aspects relating to a natural person, especially to analyse or predict aspects regarding the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location of this natural person.

f) Pseudonymisation
Pseudonymisation is the processing of personal data in such a way that it can no longer be attributed to a specific data subject without referring to additional information, insofar as this additional information is stored separately and is subject to technical and organisational measures that ensure that the personal data cannot be assigned to an identified or identifiable natural person.

g) Party responsible for the processing
The party responsible for the processing is the natural or legal person, authority, establishment or other office that decides alone or together with others about the purposes and means of processing personal data. If the purposes and means of this processing are determined by trade union law or the law of the member states, the responsible party can base their criteria on these.

h) Order processing
An order processor is a natural or legal person, authority, establishment or other office that processes data on behalf of the responsible party.

i) Recipient
A recipient is a natural or legal person, authority, establishment or other office to which personal data is disclosed, regardless of whether it is a third party or not. Authorities who may receive personal data as part of a specific investigation order according to trade union law or the law of the member states are not considered recipients, however.

j) Third party
A third party is a natural or legal person, authority, establishment or other office, other than the data subject, the responsible party, the order processor, that is authorised to process the personal data under the direct responsibility of the responsible party.

k) Consent
Consent is any voluntary declaration of willingness by the data subject for the specific case, in an informed and unequivocal manner and in the form of a declaration or other clearly confirming action, with which the data subject communicates that they agree to the processing of the personal data concerning them.

2. Name and address of the responsible party
The responsible party as defined by the General Data Protection Regulation, other data privacy laws applicable to the member states of the European Union and other provisions of a data privacy nature is:
 

3. Collection of general data and information

The HIRTLER RE GMBH website collects a series of general data and information with every access to the website by a data subject or an automated system. This general data and information are stored in the logfiles of the server. Collected data can include (1) the used browser types and versions, (2) the operating system used by the accessing system, (3) the webpage from which an accessing system arrives at our website (so-called referrer), (4) the subordinate webpages that are directed towards our website through an accessing system, (5) the data and time of an access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information that serve the purpose of averting danger in case of attacks on our information technology systems.
When using this general data and information, HIRTLER RE GMBH does not draw any conclusions about the data subject. Instead this information is needed (1) to deliver the contents of our website correctly,(2) to optimise the content of our website and its advertising, (3) to ensure the ongoing functionality of our information technology systems and our website technology and (4) to provide criminal prosecution authorities the necessary information for prosecution in the event of a cyber attack. This anonymously collected data and information is evaluated by HIRTLER RE GMBH on the one hand statistically and additionally with the aim of increasing data protection and data security in our company, in order to ultimately ensure an optimal protection level for the personal data we process. The anonymous data of the server logfiles is stored separately from all personal data provided by a data subject.

4. Routine deletion and blocking of personal data

The party responsible for processing processes and stores the personal data of the data subject only for the period necessary to accomplish the storage purpose or insofar as it is subject to laws or regulations prescribed by the European regulatory authorities or another authority.
If the storage purpose expires or a storage period prescribed by a European regulatory authority or another responsible legal authority expires, the personal data is blocked or deleted as a matter of routine and in accordance with the legal regulations.

5. Rights of the data subject
a) Right to confirmation
Every data subject is accorded the right by the European regulatory authorities to receive a confirmation from the party responsible for processing whether they are processing respective personal data. If a data subject wishes to exert this right of confirmation, they can contact an employee of the responsible party at any time.

b) Right to information
Every data subject affected by the processing of personal data is accorded the right by the European regulatory authorities to receive information free of charge from the party responsible for the processing about the personal data stored about their person and to receive a copy of this information. In addition, the European regulatory authorities grant the data subject access to the following information:

• the purposes of the processing
• the categories of personal data that are processed
• the recipients or categories of recipients to whom the personal data has been disclosed or is still being disclosed, especially for recipients in third countries or at international organisations
• if possible, the planned duration for which the personal data will be stored, or if this is not possible, the criteria for determining this duration
• the existence of a right to correction or deletion of the personal data pertaining to them, or to restriction of the processing by the responsible party, or a right to objection against this processing
• the existence of a right to complain to a supervisory authority
• if the personal data is not collected from the data subject: all available information about the source of the data
• the existence of automated decision-making, including profiling in accordance with article 22 par. 1 and 4 GDPR and – at least in these cases – clear information about the logic involved as well as the scope and the targeted outcome of such a processing for the data subject

In addition, the data subject has a right to information about whether personal data was transmitted to a third country or an international organisation. If this is the case, the data subject also has the right to receive information about suitable guarantees in connection with the transmission.
If a data subject wishes to exert this right to information, they can contact an employee of the party responsible for the processing at any time.

c) Right to correction
Every person affected by the processing of personal data is accorded the right by the European regulatory authorities to request the immediate correction of any incorrect personal data pertaining to them. The data subject also has the right, under consideration of the purposes of the processing, to request the completion of incomplete data, also by means of a supplementary explanation.
If a fata subject wishes to exert this right to correction, they can contact an employee of the party responsible for the processing at any time.

d) Right to deletion (right to be forgotten)
Every person affected by the processing of personal data is accorded the right by the European regulatory authorities to request from the party responsible for processing that they delete personal data pertaining to them without delay, if one of the following grounds applies and insofar as the processing is not necessary:

• the personal data was collected or otherwise processed for purposes for which it is no longer needed,
• the data subject revokes their consent on which the processing was based, as defined by Art. 6 par. 1 letter a GDPR or Art. 9 par. 2 letter a GDPR and there is no alternative legal basis for the processing.
• the data subject files an objection to the processing in accordance with Art. 21 par. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing in accordance with Art. 21 par. 2 GDPR.
• the personal data was illegitimately processed.
• the deletion of the personal data is necessary to fulfil a legal obligation according to trade union law or the law of the member states to which the responsible party is subject.
• the personal data was collected in relation to services offered by the information suppler in accordance with Art. 8 par. 1 GDPR.

If one of these grounds applies and a data subject would like to instigate a deletion of personal data stored by HIRTLER RE GMBH, they can contact an employee of the party responsible for the processing at any time. The employee at HIRTLER RE GMBH will ensure that the deletion request is met without delay.
If the personal data was made public by HIRTLER RE BMBH and if our company as the responsible party is obliged to delete the personal data in accordance with Art. 17 par. 1 GDPR, then HIRTLER GMBH RE will take appropriate measures, including technical, under consideration of the available technology and the implementation costs, to inform others responsible for the data processing who are processing the disclosed personal data that the data subject has requested the deletion of all links to this personal data or of all copies or duplicates of this personal data, insofar as the processing is not required. The employee at HIRTLER RE GMBH will instigate what is necessary in the individual cases.

e) Right to restriction of processing
Every person affected by the processing of personal data is accorded the right by the European regulatory authorities to request the restriction of the processing by the responsible party, under one of the following conditions:

• the accuracy of the personal data is disputed by the data subject. The processing should be restricted for a duration that allows the responsible party to check the accuracy of the personal data.
• the processing is illegitimate, the data subject declines the deletion of the personal data and requests instead the restriction of the use of personal data.
• the responsible party no longer needs the personal data for the purposes of processing, but the data subject needs it to claim, exert or defend legal claims.
• The data subject has filed an objection to the processing in accordance with Art. 21 par. 1 GDPR and it has not yet been established whether the legitimate grounds of the responsible party override those of the data subject.

If one of the aforementioned conditions applies and a data subject would like to request the restriction of the processing of the personal data stored by HIRTLER RE GMBH, they can contact an employee of the party responsible for processing at any time. The employee at HIRTLER RE GMBH will instigate the restriction of the processing.

f) Right to data portability
Every person affected by the processing of personal data is accorded the right by the European regulatory authorities to receive the respective personal data provided to the responsible party by the data subject in a structured, current and machine-readable format. They also have the right to have this data transferred to another responsible party without obstruction by the holding responsible party, insofar as the processing is based on consent in accordance with Art. 6 par. 1 letter A GDPR or Art. 9 par. 2 letter a GDPR or on a contract in accordance with Art. 6 par. 1 letter b GDPR and the processing is with the help of automated procedures, as long as the processing is not needed for the fulfilment of a task that is in the public interest or that was conferred to the responsible party.
In addition, when exerting their right to data portability in accordance with Art. 20 par. 1 GDPR, the data subject has the right to instigate the personal data being transmitted directly from one responsible party to another, insofar as this is technically feasible and it does not compromise the rights and freedoms of other persons. To exert the right to data portability, the data subject can contact an employee at HIRTLER RE GMBH at any time.

g) Right to objection
Every person affected by the processing of personal data is accorded the right by the European regulatory authorities to raise an objection against the processing of respective personal data for reasons, based on Art. 6 par. 1 letter e or f GDPR, due to grounds resulting from their specific situation. This also applies to profiling based on these provisions. HIRTLER RE GMBH no longer processes the personal data in the event of an objection, unless mandatory grounds the for processing can be proven that override the interests, rights and freedoms of the data subject, or the processing serves the claim, exertion or defence of legal claims.
If HIRTLER RE GMBH processes the data for direct advertising purposes, the data subject has the right to lodge a complaint at any time against the processing of the personal data for such advertising purposes. This also applies to profiling, if it is connected to such direct advertising. If the data subject objects to HIRTLER RE GMBH about the processing for purposes of direct advertising, then HIRTLER RE GMBH will no longer process the personal data for these purposes. In addition, the data subject has the right, for reasons resulting from their special situation, to object to the processing of personal data pertaining to them at HIRTLER RE GMBH for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 par. 1 GDPR, unless such as processing is necessary to fulfil a task in the public interest.
To exert the right to objection, the data subject can contact any employee of HIRTLER RE GMBH directly. The data subject is also entitled to exert their right to objection by means of automated procedures in which technical specifications are used, in connection with the use of services of the information company, regardless of the directive 2002/58/EC.

h) Automated decisions in individual cases including profiling
Every person affected by the processing of personal data is accorded the right by the European regulatory authorities not to be subject decision based exclusively on automated processing – including profiling – that has a legal effect on them or significantly compromises them in a similar manner, insofar as the decision (1) is not necessary for the conclusion or fulfilment of a contract between the data subject and the responsible party or (2) is permissible on the basis of legal regulations of the trade union or member states that the responsible party is subject to and these legal regulations contain appropriate measures for upholding rights and freedoms as well as the justified interests of the data subject, or (3) is upon the explicit consent of the data subject.
If the decision (1) is necessary for the conclusion or fulfilment of a contract between the data subject and the responsible party or (2) is upon the explicit consent of the data subject, HIRTLER RE GMBH takes appropriate measures to uphold the rights and freedoms, as well as the legitimate interests of the data subject, which includes at least the right to obtain the intervention of a person on behalf of the responsible party, upon presentation of one’s own standpoint and appeal against the decision.
If the data subject wishes to exert rights in relation to automated decisions, they can contact an employee of the party responsible for the processing at any time.

i) Right to revocation of a data privacy consent
Every person affected by the processing of personal data is accorded the right by the European regulatory authorities to revoke a consent to process personal data. If the data subject wishes to exert their right to revocation of a consent, they can contact an employee of the party responsible for the processing at any time.

6. Legal basis of the processing
Art. 6 I lit. a GDPR serves our company as the legal basis for processing procedures in which we obtain a consent for a specific processing purpose. If the processing of personal data is necessary for the fulfilment of a contract, whose contracting party is the data subject, as is the case for example in processing procedures necessary for the delivery of goods or performance of another service or return service, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing procedures that are necessary to carry out precontractual measures, such as in cases of enquiries about our products or services. If our company is subject to a legal obligation due to which the processing of personal data becomes necessary, such as to fulfil tax duties, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data can become necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our company were injured and then their name, age, health insurance details or other vital information would need to be passed on to a doctor, a hospital or other third parties. Then the processing would be based on Art. 6 I lit. d GDPR. Finally, the processing procedures could be based on Art. 6 I lit. f GDPR. This is the legal basis for processing procedures that are not covered by any of the aforementioned legal bases if the processing is to uphold a legitimate interest of our company or of a third party, insofar as the interests, basic rights and freedoms of the data subject are not overriding. Such processing procedures are permitted to us in particular because they have a special mention by the European legislators, who represented the opinion that a legitimate interest could be assumed if the data subject is a customer of the responsible party (Recital 47 Line 2 GDPR).

7. Legitimate interests in processing that are pursued by the responsible party or a third party
If the processing of personal interests is based on Art. 6 I lit. f GDPR, our legitimate interest is to carry out our business activity in the interests of the wellbeing of all our employees and shareholders.

8. Duration for which the personal data is stored
The criterion for the duration of the storage of personal data is the respective legal storage period. After expiry of this period, the respective data is deleted as a matter of routine, insofar as it is no longer needed to fulfil a contract or contract preparation.

9. Legal or contractual regulations for the provision of personal data; requirement for contract conclusion; obligation of the data subject to provide the data; possible consequences of not providing it
We inform you that the provision of personal data is partly legally prescribed (e.g. tax regulations) or can result from contractual rulings (e.g. details of the contracting partner). It can be necessary for the conclusion of a contract for a data subject to provide us with personal data which we must then process. For example, the data subject is obliged to provide us with personal date if our company concludes a contract with them. The consequence of not providing the personal data would be that the contract cannot be concluded. Before a provision of personal data by the data subject, the data subject must contact one of our employees. Our employee explains to the data subject in the individual case whether the provision of personal data is legally or contractually prescribed or is necessary for concluding the contract, whether there is an obligation to provide the personal data and what consequence not providing them would have.

10. Automated decision-making
As a responsible company, we avoid automated decision-making or profiling. This data privacy statement was compiled by a data privacy statement generator of DGD Deutsche Gesellschaft für Datenschutz GmbH (German Association for Data Protection), which acts as an external data privacy appointee (https://dg-datenschutz.de/datenschutz-dienstleistungen/externer-datenschutzbeauftragter/), in cooperation with the solicitor for data privacy law (https://www.wbs-law.de/it-right/datenschutzrecht/) Christian Solmecke.