We appreciate your interest in our company. We value your privacy at Steinhaus Informationssysteme GmbH. The Steinhaus Informationssysteme GmbH website may be used without the user submitting any personal data. However, some of the special services on our company website may require the processing of personal data. We will always ask for consent before processing personal data if we need to and there is no other legal reason for us to do so.
As the party responsible for data processing (“controller”), we at Steinhaus Informationssysteme GmbH have implemented a wide variety of technical and organisational measures to provide as close to complete protection as possible for personal data processed via this website. Note, however, that we cannot guarantee full protection as the nature of Internet-based data transfer always involves the risk of data security breaches. Data subjects are therefore free to submit personal data to us using alternative methods such as by phone.
a) Personal data
Personal data refers to any information relating to an identified or identifiable individual person referred to here as a “data subject.” An identifiable individual person is someone that can be directly or indirectly identified especially by matching up an identifying feature such as a name, identification number, location information, online login or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual person.
b) Data subject
A data subject is any identified or identifiable individual person whose personal data has been processed by the party responsible for processing the data referred to as the “controller.”
Processing involves any operation or set of operations performed on personal data or on sets of personal data either automatically or manually; this includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or secure erasure.
d) Restriction on processing
Restriction of processing refers to the marking of stored personal data with the aim of restricting future processing.
Profiling is any form of automated processing and use of personal data to evaluate certain personal aspects of an individual person, in particular to analyse or predict aspects concerning that individual person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation refers to processing of personal data so as to prevent personal data from being attributable to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subjected to technical and organisational measures to ensure that the personal data cannot be attributed to an identified or identifiable individual person.
A controller may be an individual person or company, public authority, agency or other organisation that determines, on its own or with others, the purposes and means by which personal data will be processed. The controller or certain criteria determining the role may be set out in EU or member state law where the purpose and methods of processing data are set by EU or member state law.
A processor is an individual person or legal entity, public authority, agency or other body that processes personal data on behalf of the controller.
A recipient is an individual person or company, public authority, agency, or other party receiving personal information regardless of whether or not the recipient is a third party. Authorities that may receive personal data according to EU or member state law in performing a particular investigation are not regarded as recipients.
j) Third party
A third party is an individual person or legal entity, public authority, agency or body other than the data subject, controller, processor or persons authorised to process personal data on behalf of the controller or processor.
Consent is given where a data subject unambiguously and voluntarily indicates in words or actions his or her personal informed agreement to having personal data relating to him or her processed for a specific purpose.
2. Name and address of the controller
The controller according to the General Data Protection Regulation, other data protection laws applicable in the member states of the European Union and other statutory regulations related to data protection is:
Steinhaus Informationssysteme GmbH
PO Box 1226
Zum Wetterschacht 55
Tel.: +49 2363 3790-0
Fax: +49 2363 3790-36
VAT ID: DE126337831
Commercial Reg. No.: B1258
Court of registration: Recklinghausen
CEO: Dr. Harald Steinhaus
The cookies used on the Steinhaus Informationssysteme GmbH website are intended to provide a more user-friendly service than would otherwise be possible without these cookies.
Cookies allow us to optimise the information and services on our website to match the specific interests of our website’s users. As already mentioned, cookies will allow us to recognise a specific user the next time that user visits our website. This recognition is intended to make it easier for users to benefit from our website. This might, for example, mean that users are not forced to reenter login data every time they come back to our website – the website itself and the cookie stored on the respective computer will take care of it. Another example might be the cookie in a shopping cart in a webstore. The online shop uses a cookie to remember items in a customer’s virtual shopping trolley.
4. Collection of general data and information
The Steinhaus Informationssysteme GmbH website collects a variety of general data and information each time the data subject or an automated system accesses it. The general data and information are stored in logfiles on the server. This includes (1) the browser type and version, (2) the operating system used by the system accessing the website, (3) the “referrer” or website previously visited linking to this website, (4) web pages accessed using our website’s navigation features, (5) date and time of access to our website, (6) anonymised internet protocol address (IP address), (7) the internet service provider (ISP) used while accessing our website, and (8) other data and information that serve to protect our vested interests in the event of attacks on our IT systems.
Steinhaus Informationssysteme GmbH will not draw any conclusions on the respective data subject while using the data and information collected. However, we need this information to (1) show the content of our website correctly and (2) optimise the content and advertising on our website, (3) ensure constant availability of our IT systems and equipment serving our website, and also (4) for information that criminal investigation authorities may require in order to pursue any criminal cyberattacks on our website. Steinhaus Informationssysteme GmbH will use the anonymous data and information collected for statistical evaluation to increase data privacy and security at our company with the ultimate aim of optimising the protection of personal data that we process. Server logfiles store data separately from any personal data specific to the data subject.
5. Registration on our website
Data subjects may register on our website using personal data to log in. The personal data transmitted to the website controller will be the data entered using the respective registration form. We, as the controller, will only collect and use the data solely for our own internal purposes. We may also transmit personal data to one or more contractors as processors, such as a parcel service, which will only use the personal data for internal use as ordered by us as the controller.
The IP address that the respective internet service provider (ISP) has allocated to a particular data subject as well as the date and time of registration will also be saved on website user registration. This data will be stored in such a way as to allow us to prevent abuse of our services and, if necessary, for the purposes of criminal investigation. This is one reason we as the controller need to store personal data. We will never pass personal data on to third parties unless we are legally required to do so or need to do so to assist in a criminal investigation.
By registering, the data subject allows us as the controller to provide the data subject with content or services that we can only offer to registered users by the nature of the content or services. Registered users may at any time change the personal data entered during registration or have their personal data expunged from our database.
Data subjects may also at any time request disclosure on all information we have stored on them. Apart from that, data subjects may also request that we correct any errors in personal data or delete personal data unless statutory retention requirements prevent us from doing so. Data subjects may contact any of our employees charged with processing their personal data in such matters.
6. Contact options on the website
According to statutory requirement, the Steinhaus Informationssysteme GmbH website includes information to enable rapid electronic contact to our company as well as direct communication with us; this includes a general address for contact by computer, that is, an e-mail address. Any personal information provided by a data subject will be stored automatically when the respective data subject e-mails us or uses our contact form to contact us. Any personal data voluntarily transmitted to us will be stored for processing or contacting the data subject. We will not transmit personal data to third parties.
7. Routine deletion and restriction on personal data
We will only process and store personal data for the period necessary to achieve purpose of data storage, or according to European directives or regulations or other laws or regulations to which we are bound.
Personal data will be restricted for processing or deleted routinely and as required by law once the purpose of storage ceases to apply or the retention periods set by European directives or regulations or other legal statutes have expired.
8. Your rights as a data subject
a) Right to verification
EU directives and regulations grant every data subject the right to obtain verification from the controller as to whether the controller is processing personal data on the data subject. Data subjects wishing to exercise this right to verification may contact any employee of the controller at any time.
b) Right to disclosure
EU directives and regulations grant every data subject the right to request disclosure on personal data stored as well as a copy of the disclosure at any time without cost to the data subject. In addition, EU directives and regulations grant every data subject the right to disclosure on the following information:
- Purpose of processing
- Categories of personal data processed
- Recipients or categories of recipients for personal data in the past, present or future, especially if the recipients are based in countries not subject to the GDPR or are international organisations
- If possible, the planned storage duration for the personal data, or, if this is not possible, the criteria determining this storage duration
- The existence of a right to correct or delete personal data concerning the data subject, or restriction on processing by the controller, or the right to object to processing
- Right to lodge a complaint with a regulatory body
- For personal data sourced from a party other than the data subject: All available information on the origin of the data
- The existence of automated decision-making, including profiling, referred to in GDPR Art. 22.1 and 22.4 and, at least in those cases, meaningful information as to the logic involved, as well as the significance and the envisaged consequences of such processing for data subjects
Apart from that, data subjects may request information on any personal data transmitted to a country not subject to the GDPR or to an international organisation. If so, the data subject may also request information on the appropriate safeguards used in transmission.
Data subjects wishing to exercise this right to disclosure may contact any employee of the controller at any time.
c) Right to rectification
EU directives and regulations grant every data subject the right to request immediate correction of incorrect personal data on the data subject. Apart from that, the data subject may request that incomplete personal data be completed, taking the purpose of processing into account; this may also involve a supplementary declaration.
Data subjects wishing to exercise this right to rectification may contact any employee of the controller at any time.
d) Right to deletion (“right to be forgotten”)
EU directives and regulations grant every data subject the right to request immediate deletion from the controller as long as one of the following circumstances applies and where no processing is necessary:
- Personal data no longer needed for the original purpose of collection or processing in some other form
- Withdrawal of consent by the data subject for the personal data to be processed according to GDPR Art. 6.1 (a) or Art. 9.2 (a) without any other legal justification for processing
- Objection by the data subject to processing according to GDPR Art 21.1 with no prevailing legitimate reason for processing, or objection to processing by the data subject according to GDPR Art. 21.2
- The personal data had been unlawfully processed
- We as the controller are bound to legal obligations under EU or member state law requiring the personal data to be deleted.
- Personal data collected in relation to the offer of information society services according to GDPR Art. 8.1
Any data subject may contact the controller at any time if one of the above reasons applies and the data subject wishes to have the personal data deleted that has been stored at Steinhaus Informationssysteme GmbH. The employee at Steinhaus Informationssysteme GmbH shall immediately arrange for the deletion request to be fulfilled.
If Steinhaus Informationssysteme GmbH has published personal data and our company is the controller according to GDPR Art. 17.1 with the obligation to delete the personal data, Steinhaus Informationssysteme GmbH shall take the necessary technical and organisational measures subject to current technological and implementation costs such that another controller responsible for processing the published personal data is aware that the data subject has requested from this other controller that all links to this personal data, or copies or duplicates of this personal data be deleted as long as processing is not necessary. The employee at Steinhaus Informationssysteme GmbH shall arrange for the necessary measures to be taken.
e) Right to restriction on processing
EU directives and regulations grant every data subject the right to request restriction on processing the personal data on the data subject from the controller as long as one of the following conditions applies:
o The data subject contests the accuracy of personal data on the data subject allowing enough time for the controller to verify the accuracy of the personal data
o Processing is unlawful and the data subject rejects the deletion of personal data, instead requesting a restriction on the use of the personal data
o The controller no longer requires the personal data for the purpose of processing, but the data subject requires the personal data to exercise or defend a legal claim
o The data subject has lodged an objection to processing according to GDPR Art. 21.1, and it is not yet clear whether the vested interests of the controller outweigh those of the data subject
Any data subject may contact the controller at any time if one of the above conditions is satisfied and the data subject wishes to have the personal data restricted that has been stored at Steinhaus Informationssysteme GmbH.
f) Right to data portability
EU directives and regulations grant every data subject the right to request the information that the data subject has passed on to the controller to be disclosed to the data subject in a generically structured computer-readable format.
In addition, the data subject may have his or her personal data transmitted from one controller to another controller in exercising the data subject’s right to data portability according to GDPR Art. 20.1 provided that this is technically feasible and the rights and freedoms of others are not impacted.
The data subject may at any time contact an employee at Steinhaus Informationssysteme GmbH to exercise the right to data portability.
g) Right to objection
EU directives and regulations grant every data subject the right to object to further processing of personal data on the data subject according to GDPR Art. 6.1 (e) or (f) at any time for reasons arising from the specific situation of the data subject. This also applies to any profiling results based on these regulations.
The data subject may at any time object to the processing of personal data for the purpose of direct advertising by Steinhaus Informationssysteme GmbH. This shall also apply to any profiling in connection with direct advertising. Steinhaus Informationssysteme GmbH shall no longer process the data subject’s personal data for direct marketing purposes if the data subject objects to Steinhaus Informationssysteme GmbH processing the data subject’s data for this purpose.
In addition, the data subject may object to the processing of personal data that Steinhaus Informationssysteme GmbH has collected for research, historical review or statistical purposes according to GDPR Art. 89.1 where such an objection arises from the situation of the data subject unless processing is necessary in fulfilling an obligation in the public interest.
The data subject may contact any employee of Steinhaus Informationssysteme GmbH in order to assert this right to objection. The data subject may also exercise these rights to objection to processing by an automated system using technical specifications in relation to the use of information society services notwithstanding 2002/58/EC.
h) Automated decision-making on an individual basis, including profiling
All data subjects may exercise the rights granted by the directives and regulations of the European Union not to be subjected to decisions based solely on automated processing – including profiling – with potential legal impact or similar effect on the data subject if the decision (1) is not necessary for the conclusion or performance of a contract between the data subject and controller, or (2) is permissible on the basis of EU or member state law affecting the data subject, where such law takes appropriate measures to safeguard the rights, freedoms and vested interests of the data subject or (3) to which the data subject gives explicit consent.
If the decision (1) is necessary for contract conclusion or performance between data subject and controller or (2) has been reached with the express consent of the data subject, Steinhaus Informationssysteme GmbH shall take the appropriate measures to safeguard the rights, freedoms and vested interests of the data subject; this includes at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
The data subject may any time contact an employee of the controller to exercise rights with respect to automated decisions.
i) Right to withdrawal of consent according to data protection law
EU directives and regulations grant every data subject the right to revoke any consent previously granted to have personal data on the data subject processed at any time.
The data subject may any time contact an employee of the controller to revoke any consent previously granted.
9. Data protection in job applications and the application process
The controller shall collect and process personal data from job applicants in order to manage the application process. This may involve digital processing. This shall especially apply if the job applicant sends the corresponding application documents to the controller by digital means, such as by e-mail or a web form on the website of the controller. The personal data transmitted shall be stored in order to manage the employment relationship in compliance with statutory provisions if the controller concludes an employment contract with the applicant. If the person responsible for processing does not conclude an employment contract with the applicant, the application documents shall be deleted automatically two months after the controller notifies the data subject of the controller’s decision to reject the application provided that deletion does not conflict with any other vested interests of the controller. Other vested interests include burden of proof in litigation pursuant to the German General Equal Treatment Act (AGG).
10. Data protection provisions on the use of Google Analytics (including anonymisation)
11. Legal basis for processing
Our company will process personal data on the legal basis of GDPR Art. 6.1 (a) where we seek consent for processing to fulfil a particular purpose. Personal data will be processed on the legal basis of GDPR Art. 6.1 (b) if processing is required to fulfil a contract where one contracting party is the data subject, such as in processing data to supply of goods or other services or payments. The same applies to processing required to perform pre-contract activities such as processing requests for products or services. Personal data will be processed on the legal basis of GDPR Art. 6.1 (c) if our company is legally bound to process personal data for purposes such as fulfilling tax obligations. In rare cases, processing personal data may be required to protect the vital interests of the data subject or another individual person. One example may be if a visitor to our company were to be injured and we needed the visitor’s name, age, health insurance data or other vital information to pass on to a doctor, hospital or other third party. Processing would then be based on GDPR Art. 6.1 (d). Finally, personal data may be processed on the legal basis of GDPR 6.1 (f), which refers to processing personal data not covered by any of the other provisions above as a legal basis, but to protect the vested interests of our company or a third party provided that these interests outweigh the vested interests or fundamental rights and freedoms of the data subject. We are especially permitted to process data in this context as European law specifically mentions this form of processing. European law takes the view that a vested interest may be assumed if the person concerned is a customer of the controller (GDPR Recital 47.2).
12. Legitimate interests in processing as pursued by the controller or a third party
Our legitimate interest is to perform our activities towards the welfare of all our employees and shareholders where we process personal data on the legal basis of GDPR Art. 6.1 (f).
13. Personal data retention periods
Personal data retention periods shall be based on the criteria set by the respective statutory retention periods. After the respective period has expired, personal data no longer required for contract initiation or performance shall be routinely deleted.
14. Legal or contractual provisions for submitting personal data; necessity for contract conclusion; obligation of data subjects to submitting personal data; possible consequences of failure to submit
The following explains how submission of personal data may be required to meet a statutory requirement such as in tax law or arise from contractual agreements such as information on a contract party. Contract conclusion may in some cases require a data subject to submit personal data that we then need to process. The data subject may need to provide us with personal information for our organisation to conclude a contract with the data subject, and failure to do so would prevent conclusion of the contract with the data subject. The data subject must then contact one of our employees before submitting personal data. The respective employee will explain to the data subject whether the personal data will be required by law or contract or for contract conclusion, whether there is a requirement to submit the personal data, and what the consequences would be if the data subject failed to provide the personal data, all depending on the case at hand.
15. Automated decision-making
We take privacy seriously and do not use automatic decision-making or profiling.
16. Subscription to our newsletter
The Steinhaus Informationssysteme GmbH website includes a feature enabling users to subscribe to our company newsletter. The personal data transmitted to the controller on subscribing to the newsletter will be gathered from the web form used for this purpose.
Steinhaus Informationssysteme GmbH provides customers and business partners regular news and information on company products and services in this newsletter. Data subjects will only receive the newsletter if the respective data subject (1) has a valid e-mail address and (2) subscribes to the newsletter. For legal reasons, the data subject will first receive a confirmation e-mail using the e-mail address submitted by the data subject in what is referred to as a double opt-in procedure. This confirmation e-mail will then be used to confirm that the data subject whose e-mail address was submitted is authorised to subscribe to and receive the newsletter.
During the subscription process, we will also store the date and time of subscription as well as the IP address assigned by the Internet service provider (ISP) to the device used by the data subject at the time of subscription. This data needs to be stored as legal protection for the controller in facilitating any subsequent investigation of potential abuse of the data subject’s e-mail address.
The personal data collected in the newsletter subscription process will be used solely for the purpose of sending our newsletter. Subscribers to the newsletter may also be informed by e-mail as necessary to continue providing the newsletter service or where further registration is necessary, such as in response to changes to the newsletter service or technical infrastructure. The personal data collected as part of the newsletter service will not be passed on to third parties. The data subject may unsubscribe from our newsletter at any time. The data subject may also revoke his or her consent to the storage of personal data submitted to us for the purpose of sending the newsletter. Every edition of the newsletter will include a link enabling subscribers to unsubscribe from the newsletter. Subscribers may also unsubscribe from the newsletter directly on the website of the controller or by otherwise informing the controller of the subscriber’s wish to unsubscribe.
17. Newsletter tracking
The Steinhaus Informationssysteme GmbH newsletter contains what are referred to as tracking pixels. A tracking pixel is a miniature graphic embedded in e-mails sent in HTML format and enables logfile maintenance and analysis. This allows statistical evaluation of the success or failure of online marketing campaigns. Steinhaus Informationssysteme GmbH uses the embedded tracking pixel technology for information as to if and when an e-mail was opened by a data subject and which links the data subject clicked in the e-mail.
Personal data collected using tracking pixels contained in newsletters will be stored and evaluated by the controller to optimise the newsletter service and adjust the content of future newsletters to the interests of the data subject. The personal data will not be passed on to third parties. Data subjects may revoke the separate declaration of consent for this purpose any time using the double opt-in procedure. After revocation, the controller will delete the respective personal data. Steinhaus Informationssysteme GmbH will automatically interpret unsubscription from the newsletter as revocation.