RYDES GmbH (NAVIT)
Applicable to all of the following descriptions of data processing.
The controller responsible for the processing of your personal data in the context of this contact is
RYDES GmbH (NAVIT)
Brunnenstraße 19-21
10119 Berlin
Germany
[email protected]
www.navit.com
The appointed Data Protection Officer is
DataCo GmbH
Sandstraße 33
80335 Munich, Germany
Tel.: +49 (0) 89 7400 458 40
E-mail: [email protected]
www.dataguard.de
The General Data Protection Regulation (GDPR) grants individuals in the EU (and the EEA) a set of rights over their personal data. These rights are intended to give people transparency, control, and recourse in how their data is collected, used, and shared by organizations.
Below is a summary of the key rights:
You may request confirmation from the controller as to whether personal data concerning you is being processed. Where this is the case, you may request the following information from the controller:
You have the right to request information as to whether your personal data is transferred to a third country or an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
The controller will provide you with a copy of the personal data undergoing processing. The rights and freedoms of others shall not be adversely affected. For any further copies you request, the controller may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, the information shall be provided in a commonly used electronic format, unless you request otherwise.
You have the right to obtain from the controller the rectification of inaccurate personal data concerning you without undue delay, and the right to have incomplete personal data completed.
a) Obligation to erase
If you request the controller to erase your personal data with immediate effect, the controller is obliged to do so without undue delay where one of the following applies:
b) Information to third parties
Where the controller has made your personal data public and is obliged to erase it pursuant to Art. 17(1) GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you have requested the erasure of any links to, or copies or replications of, that personal data.
c) Exceptions
The right to erasure does not apply to the extent that processing is necessary
You may request the restriction of the processing of your personal data under the following conditions:
Where processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
Where processing has been restricted under the above conditions, you shall be informed by the controller before the restriction is lifted.
Where you have asserted the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to each recipient to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controller about those recipients.
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data was provided, where
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected by this.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions.
The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
You also have the right, on grounds relating to your particular situation, to object to the processing of personal data concerning you for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you. This does not apply where the decision
However, such decisions must not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2)(a) or (b) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
With regard to the cases referred to in 1. and 3., the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
1.1 Categories of personal data
As part of the application process, we process exclusively data relating to your application. This may include the following personal data:
1.2 Sources from which your personal data originates
As part of the applicant process, NAVIT collects the following personal data from you:
Purposes of processing
Your personal data is processed for the following purposes:
Legal bases for processing
Special categories that have been made public – Art. 9(2)(e) GDPR: Insofar as special categories of personal data are processed which you have manifestly made public, your data is processed pursuant to Art. 9(2)(e) GDPR.
Legal claims / actions of the courts – Art. 6(1)(f) GDPR, Art. 9(2)(f) GDPR: Where necessary, your data is processed for the establishment, exercise, or defense of legal claims or in connection with actions of the courts.
Consent – Art. 6(1)(a) GDPR in conjunction with Art. 7 GDPR, Art. 88(1) GDPR in conjunction with Section 26(2) BDSG (German Federal Data Protection Act): If you have given your consent to data processing, your data is processed accordingly.
Decision on the establishment of the employment relationship – Art. 6(1)(b) GDPR, Art. 88(1) GDPR in conjunction with Section 26(1) BDSG: We process your data in order to make a decision on the establishment of the employment relationship. In the event of employment, your data is processed for the purpose of carrying out and terminating the employment relationship; separate information is provided for this.
Legitimate interest – Art. 6(1)(f) GDPR: Our legitimate interest arises in particular from the proper conduct and optimization of the application process and from the establishment, exercise, or defense of legal claims.
Special categories – Art. 9(2)(a) GDPR: If you have given your consent to the processing of special categories of personal data (e.g. health data, religious affiliation, nationality), your data is processed accordingly.
In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients:
As part of the application process, your personal data is only forwarded to those employees of our company who need it to fulfill the aforementioned purposes. No transfer of your personal data to third parties takes place as part of the application process.
In addition, your personal data may be transmitted to the following service providers established in a country outside the EU/EEA:
In order to make the third-country transfer as data protection-friendly as possible, standard contractual clauses pursuant to Art. 46(2)(c) GDPR have been concluded with providers in unsafe third countries. A copy of the standard contractual clauses can be requested by sending an informal e-mail to [email protected].
For the purpose of communicating with applicants, we use the Google Workspace service provided by Google Inc., Google Ireland Limited, Google Commerce Limited, Google Asia Pacific Pte. Ltd., or Google Australia Pty Ltd. Further information: workspace.google.com/terms/2014/1/dpa_terms
We will erase your personal data as soon as the aforementioned purposes for its storage no longer apply, or you object to the use of your personal data (in the case of processing based on legitimate interests), or you withdraw the consent you previously gave. However, your personal data may also be stored beyond this, in particular in the following cases:
The following retention periods arise from statutory provisions in particular:
Where the applicant has consented, the application documents are included in the applicant pool and retained there for a maximum of 2 years from the time of consent. They are erased upon the purpose no longer applying or the withdrawal of consent by the applicant.
In the event of employment with our company, your personal data is erased when the purpose no longer applies, at the latest after termination of the employment relationship, unless statutory retention periods prevent erasure.
1.1 Your personal data that we process
In the context of the existing customer relationship, we process the following data relating to you:
1.2 Purposes of processing
In the context of the existing customer relationship, your personal data is processed for the following purposes:
1.3 Legal bases for processing
The legal basis for the processing of data in the context of our customer relationship is Art. 6(1)(a)–(f) GDPR.
Consent: Insofar as we obtain your consent, processing is carried out on the basis of Art. 6(1)(a) GDPR in conjunction with Art. 5, 7 GDPR.
Contract performance: Insofar as we process your data for the purpose of performing a contract, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to pre-contractual and post-contractual measures.
Legal obligation: Where necessary, Art. 6(1)(c) GDPR serves as the legal basis (tax and commercial law retention obligations).
Legitimate interest: The legal basis for direct advertising may, where our legitimate interests apply, be Art. 6(1)(f) GDPR – in particular to inform you about our products, offers, and services by way of direct marketing, and to respond to your inquiries by e-mail and telephone. The establishment, exercise, or defense of legal claims is also based on point (f).
In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients. We only transmit to external recipients where you have consented or where this is permitted by law:
In addition, your personal data may be transmitted to the following service providers established in a country outside the EU/EEA:
For the purpose of communicating with customers and interested parties, we use the Google Workspace service provided by Google Inc., Google Ireland Limited, Google Commerce Limited, Google Asia Pacific Pte. Ltd., or Google Australia Pty Ltd. Further information: workspace.google.com/terms/2014/1/dpa_terms
In order to make the third-country transfer as data protection-friendly as possible, standard contractual clauses pursuant to Art. 46(2)(c) GDPR have been concluded with providers in unsafe third countries.
The following service providers in the USA have joined the Trans-Atlantic Data Privacy Framework (TADPF; the data protection agreement between the EU and the USA), so that an adequate level of data protection is ensured for the data processing:
We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data is destroyed or erased in our systems as soon as it is no longer needed. We take appropriate measures to ensure that your personal data is only processed under the following conditions:
A requirement to retain data may exist in particular where the data is still needed to fulfill contractual services, to review and grant or defend warranty and, where applicable, guarantee claims. Where the data is no longer required for the fulfillment of contractual or legal obligations, it is erased on a regular basis, unless its – temporary – retention remains necessary, in particular to fulfill statutory retention periods of up to ten years (arising, among others, from the German Commercial Code (HGB), Fiscal Code (AO), and Anti-Money Laundering Act). In the case of statutory retention obligations, erasure is only considered after the expiry of the respective retention obligation.
1.1 Your personal data that we process
We process personal data that we receive from you through your participation in the event. In particular, we process:
1.2 Purposes of processing
Your personal data is processed for the following purposes:
In addition, the film and video recordings are published after the event for marketing purposes: on the website and on social or professional networks (YouTube, LinkedIn). Processing of your personal data for any other purpose is not intended.
1.3 Legal bases for processing
Legitimate interest: The legal basis for producing photo and film recordings during our events is our legitimate interest (Art. 6(1)(f) GDPR) in the subsequent internal and external publication for marketing purposes on our company website (www.navit.com) and on social or professional networks (YouTube, LinkedIn). If you do not wish to be photographed or filmed, please let us know before or during the event. If you should nevertheless appear in group recordings, you will be rendered unrecognizable in these recordings afterwards. For the publication, we obtain your consent at the entrance area of the event location, which you may of course give voluntarily.
Consent: The legal basis for processing your personal data, both for the purpose of participating in the event and for the internal and external publication of photo and film recordings, is the consent you have given, and thus Art. 6(1)(a) GDPR in conjunction with Art. 5, 7 GDPR. You have the right to withdraw your consent at any time by e-mail to [email protected]. The withdrawal does not affect the lawfulness of processing carried out on the basis of consent up to the point of withdrawal (Art. 7(3) GDPR). If you appear in a recording together with other persons, erasure is not mandatory – it is sufficient for you to be rendered unrecognizable. Insofar as a recording reveals information about your ethnic origin, religion, or health, the consent also expressly extends to this information.
Information on publication on the internet: Where personal data has been made publicly accessible and you withdraw your consent, we are only subject to an obligation to inform other recipients. Information placed on the internet may under certain circumstances never be completely deleted. In any case, the providers of the most important search engines are informed of the erasure request. Despite all technical precautions, it cannot be ruled out that third parties may reuse or pass on photos and/or videos. The company is not liable for third parties using the photos for further purposes.
In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients:
Your personal data is transmitted to the following service providers:
In the case of processors and service providers outside the EU/EEA, your aforementioned personal data is only processed insofar as this is the subject of our data processing agreement pursuant to Art. 28 GDPR with these recipients. The following data is used: name, video material (if the camera was switched on), e-mail address, IP address, metadata of the end device.
In addition, in the context of the publication of film and video recordings for marketing purposes, your personal data may be transmitted to the following service providers, provided you have given your consent:
In order to make the third-country transfer as data protection-friendly as possible, standard contractual clauses pursuant to Art. 46(2)(c) GDPR have been concluded with providers in unsafe third countries. We have no influence over the collection of data and its further use by the providers of the social networks. Further information on options for objection and removal can be found here: LinkedIn – linkedin.com/legal/privacy-policy; YouTube – policies.google.com/privacy.
Where we engage a service provider (e.g. an event manager), we remain responsible for the protection of your data. All processors are obliged to treat your data confidentially and to process it only in the course of providing the service. We may pass on your personal data (e.g. name, company name, e-mail address) to our authorized sales partners, based on our legitimate interest in identifying and pursuing potential sales opportunities (Art. 6(1)(f) GDPR). After receiving your data, these sales partners act as independent controllers.
We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data is destroyed or erased in our systems as soon as it is no longer needed. We take appropriate measures to ensure that your personal data is only processed under the following conditions:
A requirement to retain data may exist in particular where the data is still needed to fulfill contractual services, to review and grant or defend warranty and, where applicable, guarantee claims. Where the data is no longer required for the fulfillment of contractual or legal obligations, it is erased on a regular basis, unless its – temporary – retention remains necessary, in particular to fulfill statutory retention periods of up to ten years (arising, among others, from the German Commercial Code (HGB), Fiscal Code (AO), and Anti-Money Laundering Act).
1.1 Your personal data that we process
In the context of the employment relationship, we process the following personal data relating to you:
1.2 Purposes of processing
1.3 Legal bases for processing
Consent – Art. 6(1)(a) GDPR in conjunction with Art. 7 GDPR, Art. 88(1) GDPR in conjunction with Section 26(2) BDSG: e.g. consent to the publication of names and/or photos on the internet/intranet/flyers.
Establishment, performance, and termination of the employment relationship – Art. 88(1) GDPR in conjunction with Section 26(1) BDSG, Art. 6(1)(b) GDPR: As a rule, name and address are required for the employment contract.
Legal obligations – Art. 6(1)(c) GDPR: Our statutory obligations arise in particular from: Section 312 SGB III (employment certificate), Section 28a SGB IV (reporting obligation), Section 198 SGB V (reporting obligation for employees subject to insurance), Section 16(2) ArbZG (recording of working time), Sections 49, 50(2) JArbSchG (information/submission), Section 17 MiLoG (recording of working time), Section 27 MuSchG (notification/retention obligations), Section 17c AÜG (preparation/keeping of documents). (SGB = Social Code; ArbZG = Working Hours Act; JArbSchG = Youth Employment Protection Act; MiLoG = Minimum Wage Act; MuSchG = Maternity Protection Act; AÜG = Temporary Employment Act.)
Legitimate interest – Art. 6(1)(f) GDPR: in particular the establishment, exercise, or defense of legal claims, as well as in connection with personnel, IT, or other matters.
Special categories of personal data: for the exercise of rights under employment, social security, and social protection law (Art. 9(2)(b) GDPR, Art. 88(1) GDPR in conjunction with Section 26(3) BDSG); on the basis of your consent (Art. 9(2)(a) GDPR); where manifestly made public (Art. 9(2)(e) GDPR); for the establishment/defense of legal claims or in connection with actions of the courts (Art. 9(2)(f) GDPR); for purposes of preventive medicine, occupational medicine, or the assessment of working capacity (Art. 9(2)(h) GDPR).
In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients. We only transmit to external recipients where you have consented or where this is permitted by law. External recipients are in particular:
The transmission to the above recipients generally takes place for billing purposes, to fulfill our contractual, statutory, collective bargaining, income tax, or social security obligations, and for the establishment, exercise, or defense of legal claims (where necessary).
We will erase your personal data as soon as the aforementioned purposes for its storage no longer apply, you object to its use, or you withdraw the consent you previously gave. However, your personal data may also be stored beyond this, in particular:
The following retention periods arise from statutory provisions in particular:
Your data is stored on a restricted basis where storage is carried out solely for the purpose of fulfilling a retention obligation.