CONTROLLER AND SCOPE
The controller as referred to in the EU General Data Protection Regulation (GDPR) and other, national data protection laws of the member states as well as other regulations on data protection is
RSU Rating Service Unit GmbH & Co. KG
NAME AND ADDRESS OF DATA PROTECTION OFFICER
You can reach our data protection officer by e-mail at Datenschutzbeauftragter@rsu-rating.de, by regular mail by adding “der Datenschutzbeauftragte” to our postal address or by telephone at +49/89/442340-0.
TREATMENT OF PERSONAL DATA
The present text is to inform users about the nature, extent, and purpose of the processing of personal data by RSU Rating Service Unit GmbH & Co. KG, Karlstraße 35, 80333 München. The relevant statutory provisions on data protection are contained in the GDPR.
Since changes in legislation or to our internal processes may require us to amend this data protection statement from time to time, we would ask you to check this statement regularly.
“Personal data” as defined in Article 4 of the GDPR means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more specific properties. For example, personal data include the name, e-mail address, telephone number or IP address of an individual.
Information which we cannot connect to you (or which we could only connect to you at disproportionate cost), for example because it has been anonymized, is not personal data. Any processed personal data will be erased once the purpose of the processing has been achieved and there is no legal requirement to store the data any more.
RSU will only process personal data if this is legally permitted or the users agree to the collection of the data. If we process your personal data, the concrete operations, extent and purpose of and legal basis for the processing and the time for which the data are stored are stated below
ACCESS DATA/SERVER LOG FILES
RSU (or its web space provider) collects data on every instance in which the website is accessed (referred to as server log files). The data collected include: domain, IP address, name of website retrieved, file, date and time of retrieval, amount of data transmitted, information on success of retrieval, type and version of browser, user’s operating system, referrer URL (site previously visited) and requesting provider.
RSU only uses the log data for statistical evaluation in support of the operation, protection and optimisation of the website. However, RSU reserves the right to check the log files at a later time if there are specific indications of illegal use.
This processing of data is based on Article 6(1)(f) of the GDPR. It is necessary for maintaining a website and thus for pursuing legitimate interests of our company.
Recording the data required for operating the website and saving the data in log files is indispensable for operating an Internet page. For this reason, users cannot object to these actions. Your personal data will be erased as soon as they are no longer needed for the aforementioned purpose. If personal data are saved in log files, they are erased after three days. Data may be stored more extensively in individual cases if this is required by law.
If RSU is contacted by e-mail, user information is stored for the processing of the inquiry and in case further questions arise.
Your e-mail address is used to assign your message to its sender and to answer you. This processing of personal data is based on Article 6(1)(f) of the GDPR. Once the personal data gathered in this context are no longer needed, they will be erased or their processing will be restrict-ed if they must be stored by law. You may object to the future processing of your personal data at any time when contacting RSU by e-mail.
INCORPORATION OF THIRD-PARTY CONTENT AND SERVICES
Third-party content such as maps from Google Maps, RSS feeds or charts from other websites may be incorporated into this website. This always requires the providers of such content (referred to as “third-party providers” below) to know the IP addresses of the users to be able to send the content to the users’ browsers. The IP address is therefore necessary for presenting the content. While we try to incorporate only content whose providers use IP addresses only for transmitting the content, we have no way of preventing third-party providers from storing IP addresses, for example for statistical purposes. Where we know that a third-party provider stores IP addresses, we inform users accordingly.
However, if IP anonymization is enabled for this website, the users’ IP addresses are shortened by Google for addresses from within the countries of the European Union or from other countries adhering to the Agreement on the European Economic Area. Only in exceptional cases is the complete IP address sent to a Google server in the USA and shortened there. IP anonymization is enabled for this website. Google has been tasked by the company operating this website with using the information gathered to analyse how the website is used by users, compiling reports on the activities occurring on the website and providing further services relating to the use of the website and of the Internet. We have a legitimate interest in processing data for these purposes. The legal basis for using Google Analytics is section 15, sub-section 3 (§ 15 Abs. 3) of the German Telemediengesetz (TMG) and Article 6(1)(f) of the GDPR. The data sent by us, which are linked to cookies, user identifiers (e.g. user IDs) or advertising IDs, are automatically erased after 14 months. Data whose maximum storage time has been reached are automatically erased once a month.
The IP address transmitted by the user’s browser for the purposes of Google Analytics will not be combined with other Google data. Users can prevent the storage of cookies by choosing the appropriate settings in their browsers; however, in that case the complete functionality of the website may not be available. Users can also prevent the retrieval of the data on their use of the website generated by a cookie (including their IP addresses) and the processing of these data by Google if they download and install the browser plugin available at https://tools.google.com/dlpage/gaoptout?hl=de.
For further information on how Google uses data for advertising purposes as well as options regarding settings and possible objections, users should refer to the following websites: https://www.google.com/intl/de/policies/privacy/partners/ (“How Google uses data when you use our partners’ sites or apps”), https://www.google.com/policies/technologies/ads (“Advertising“), https://www.google.de/settings/ads (“Control the information Google uses to show you ads”) and https://www.google.com/ads/preferences/ (“Determine what ads Google can show you”).
As an alternative to the browser add-on or if using browsers on mobile devices, you can prevent the collection of data through Google Analytics on this website by clicking on the following link. This will cause an Opt-Out Cookie to be saved to your device. If you have deleted the cookies on your device, you need to click on the link again: https://tools.google.com/dlpage/gaoptout?hl=de
USE OF VIMEO SERVICES
RSU uses the services of Vimeo LLC (“Vimeo”) to embed videos. If you visit the subsite of our website, which contains the Vimeo-Plugin, a connection to Vimeo’s servers will be established, i.e. data to servers located in the USA will be transferred. As described in Vimeo’s data protection information following data will be transferred to Vimeo: IP address, technical information of the end device such as browser type, operating system, basic data of the end device, pages previously visited, queries made and browsing activities. In addition, Vimeo cookies are stored on your end device. We have no influence on this data transfer.
Vimeo also gives users access to certain additional functions, e.g. video sharing. For this purpose you may need to log in to your account with Vimeo or another provider to allow them to match the information transferred from you with your account information. This service is offered entirely by Vimeo and any other providers involved. You should check the data protection rules of these parties carefully before using the functions in question. RSU does not know what data are gathered when such functions are used and has no influence on how these data are used.
For information on the processing of your personal data by Vimeo and the purpose of such processing, your rights and any settings that may help protect your privacy please refer to Vimeo’s data protection statement at https://vimeo.com/privacy.
DIRECT MARKETING BY REGULAR MAIL
We process your personal data for purposes of direct marketing by regular mail. This is in our legitimate interest as referred to in Article 6(1)(f) of the GDPR, which is therefore the legal basis for the processing of your personal data in this context. Your personal data will be erased as soon as they are no longer necessary for the purpose for which they have been collected. This applies in particular if you object to our processing of your personal data.
Normally we collect the personal data from you directly. In addition we process data that we have obtained from publicly accessible sources and that we are permitted to process.
ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS
In the context of the establishment, exercise or defence of legal claims, we process your personal data to refute unfounded claims and enforce claims and rights. This is in our legitimate interest as referred to in Article 6(1)(f) of the GDPR. The legal basis for processing personal data in the context of the establishment, exercise or defence of legal claims is Article 6(1)(f) of the GDPR. Your personal data will be erased as soon as they are no longer needed for the purposes for which they have been collected. Since processing your personal data is indispensable in this context, you cannot object to it.
CATEGORIES OF RECIPIENTS
Within RSU Rating Service Unit GmbH & Co. KG, your personal data will be provided to those units that need them to achieve the purposes stated above. In addition, we make your personal data available to certain trustworthy recipients whose services we use (e.g. IT service providers). We have carefully selected and commissioned these recipients; they have agreed to comply with our instructions and are monitored on a regular basis.
We process the personal data of applicants during the application process. Applications can be submitted to us electronically by e-mail.
The data that you provide to us during the application process will be processed solely for the purposes of this process and will be made available only to the individuals directly involved. The data will not be passed on to any third parties. The legal basis for processing personal data for this purpose is Article 6(1)(b) of the GDPR in conjunction with Article 88 of the GDPR and § 26 of the Bundesdatenschutzgesetz. The data will be erased as soon as they are no longer needed for the purposes for which they have been collected and stored, need not be stored by law and are no longer required in connection with the protection and defence of potential legal claims. Applicants may withdraw their application at any time. If they do so, their application documents are disregarded in the further application process and are erased unless they must be stored by law.
RIGHTS OF THE DATA SUBJECT
If we process your personal data, you are a data subject and have the following rights with regard to the personal data concerning you:
RIGHT TO OBJECT
If your personal data are processed for the purposes of legitimate interests of our company in accordance with Article 6(1)(f) of the GDPR, you may object to the processing of your personal data pursuant to Article 21 of the GDPR on grounds relating to your particular situation or because you object to direct marketing activities. In the case of direct marketing you have a general right to object, with which we will comply without any need for you to invoke your particular situation. RSU will then stop processing these personal data unless RSU demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms in question or RSU needs to process the data for the establishment, exercise or defence of legal claims.
DATA SECURITY AND SAFEGUARDS
We undertake to protect your privacy and treat your personal data as confidential. To prevent any manipulation, loss or abuse of the data stored in our systems we take extensive technical and organisational precautions, which we check and update to state-of-the-art level on a regular basis. This includes the use of acknowledged encryption methods (SSL or TLS). However, please be aware that due to the structure of the Internet there may be persons or institutions outside our area of responsibility which disregard data protection rules or fail to observe the aforementioned precautions. In particular, third parties may have access to data that are made available unencrypted, for example via e-mail. We have no way of preventing this by technical means. Users are responsible for protecting the data they make available, for example by means of encryption.
Munich, May 2019