Notes on data processing

Introduction
We take the protection of your personal data very seriously. We provide you with these notes on data processing in order to inform you about the nature, scope and purpose of the processing of personal data for our services and offers, as well as within the scope of our online content and the web pages and functions associated with it, and explain to you what rights you have as a data subject with regard to the protection and the enforcement of protection of your personal data.

Term definitions
The definitions of the data protection terms used here correspond to the definitions as per Art. 4 of the EU General Data Protection Regulation (GDPR). To the extent that the term "data" is used in the notes on data processing, this term refers to personal data within the meaning of the GDPR.

The data controller according to Art. 4, para. 7 GDPR is:

Streck Transportges. mbH
represented by the managing directors Bernd Schäfer (chairman), Ralph Diringer and Gerald Penner 
Brombacher Str. 61
D-79539 Lörrach
Phone: +49 (0) 7621 177 0
E-mail address: info@streck.de

Data protection officer
Dresden Institute for Data Protection
a foundation under civil law
represented by its director, Dr. Ralph Wagner
Hospitalstraße 4
D-01097 Dresden
Phone: +49 (0) 351 655 722 0
E-mail: datenschutz@streck.de
Internet: www.dids.de 

If you wish to exercise your rights or need more information about our use of your personal data, please contact us, as the data controller, or contact our data protection officer using the specified contact details.

You have the following rights:

a) Right to revoke consent according to Art. 7, para. 3 GDPR
If the processing is based on consent, you can revoke your consent to the processing of personal data in accordance with Art. 7, para. 3 GDPR at any time with effect for the future. As a result, the data processing based on this consent may no longer be continued in the future. This revocation will not affect the lawfulness of any processing done beforehand.

b) Right to information according to Art. 15 GDPR
In accordance with Art. 15 GDPR, you have the right to request information about your processed personal data at any time. In particular, you can request information about the purposes of processing, the categories of personal data, the categories of recipients to whom your personal data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or a right of objection, the existence of a right of appeal to a supervisory authority, the origin of your personal data if it has not been collected from you, the existence of automated decision-making including profiling in accordance with Art. 22, para. 1-4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject. The restrictions according to Section 34 Federal Data Protection Act (BDSG) apply.

c) Right to rectification according to Art. 16 GDPR
According to Art. 16 GDPR, you can request the immediate rectification of incorrect data or the completion of stored personal data.

d) Right to deletion according to Art. 17 GDPR
According to Art. 17 GDPR, you are entitled to demand the deletion of the stored personal data, unless the processing is required for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims. The restrictions according to Section 35 BDSG apply.

e) Right to restriction of processing according to Art. 18 GDPR
According to Art. 18 GDPR, you can request the restriction of processing of your personal data insofar as the accuracy of the data is disputed, the processing is unlawful, but its deletion is refused and your personal data is no longer needed and you need this data for the assertion, exercise or defense of legal claims.

f) Right to objection against direct marketing
You can object to the processing of your personal data for advertising purposes at any time. If you object to the processing of your personal data for direct marketing purposes, we will no longer process your personal data for these purposes.

g) Right to objection according to Art. 21 GDPR
You have the right to object, at any time, for reasons arising from your particular situation, to the processing of your personal data on the basis of Art. 6, para. 1, sentence 1, lit. f) GDPR (data processing on the basis of legitimate interests). If you intend to exercise such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. After you lodge your objection, we will no longer process the personal data unless we can prove that we have a compelling legitimate interest in its continued processing that outweighs your interests, rights, and freedoms, or if the processing serves the assertion, exercise, or defense of our legal claims.

h) Right to data portability according to Art. 22 GDPR
You have the right to request a copy of the data provided by you in a structured, common and machine-readable format in accordance with Art. 20 GDPR, provided that the processing is carried out using automated procedures and on the basis of consent in accordance with Art. 6, para. 1, sentence 1, lit. a) or Art. 9, para. 2, lit. a) GDPR or on the basis of a contract in accordance with Art. 6, para. 1, sentence 1, lit. b) GDPR.

i) Right to lodge a complaint according to Art. 77 GDPR
If you suspect that the processing of your personal data is unlawful, according to Art. 77 GDPR in conjunction with Section 19 BDSG you have the option to lodge a complaint with us or with a data protection supervisory authority, in particular in the EU member state where your place of residence, your place of work or the place where the alleged infringement has occurred is located.

The competent authority in Baden-Württemberg is:
State Data Protection and Freedom of Information Officer, mailing address: PO box 10 29 32, 70025 Stuttgart, phone: +49 (0)711/615541-0, fax: +49 (0)711/615541-15, e-mail: poststelle@lfdi.bwl.de

We do not make direct offers to persons under the age of 16. Persons under the age of 16 may not transmit any personal data or a declaration of consent to us without the consent of their legal representative.

Processing purposes and legal basis
Every time you visit our web pages, your browser transmits data to our web server (so-called "server log files"), which may enable your identification.

The data processing is required for the website visit to take place. In order to enable the provision of the web pages, a technical connection must be established between your browser and our website. Other processing purposes include the optimization of the stability and functionality of our web pages, ensuring the security of our information technology systems, and detecting and tracking misuse. The legal basis is in accordance with Art. 6, para. 1, sentence 1, lit. c) GDPR, our legal obligation to ensure data security and our overriding legitimate interest in direct marketing and in the security of our offer according to Art. 6, para. 1, sentence 1, lit. f) GDPR, as long as this is done in accordance with the data protection requirements.

Data categories and data origin
Depending on the configuration of your browser, the following data is processed:

• Retrieved web pages
• Date and time of the retrieval
• Amount of data transferred
• Notification of successful retrieval
• Browser used
• Operating system used
• Internet service provider
• IP address of the retrieving system of the user
• Web page from which the system of the user has reached the retrieved web page

Recipients of personal data
We use external service providers such as hosting service providers as data processors for the provision of our web pages, which means that they can obtain access to your personal data. 

Duration of storage
The data is stored for a period of 30 days. We reserve the right to inspect the files if concrete indications justify the legitimate suspicion of unlawful use or of a concrete attack against our website. Data whose further storage is necessary for record-keeping  purposes will be deleted as soon as it is no longer necessary to achieve the purpose of its processing.

Cookies

Processing purposes and legal basis
Our website uses so-called "cookies". Cookies perform various different functions. Numerous cookies are technically necessary because certain website functions would not work without them. Other cookies are used to evaluate user behavior or to display advertising.

Cookies that are necessary to carry out the electronic communication process or to optimize the website are stored on the basis of Section 25, para. 2, No. 2 Federal Telecommunications Telemedia Data Protection Act (TTDSG). We have a legitimate interest in the storage of cookies for the technically error-free and optimized provision of our offer.

We use all other cookies on the basis of your consent, which you can grant or deny in the privacy settings on your first visit to our website. The legal basis is Section 25, para. 1 TTDSG in conjunction with Art. 6, para. 1, lit. a) and Art. 7 GDPR. The consent can be revoked at any time with effect for the future.

Data categories and data origin
Cookies are data sets that are stored either temporarily for the duration of a session or permanently on the hard drive of your end device and assigned to the browser you are using so that certain information can be transmitted to the website that sets the cookie. Cookies are used primarily to make the Internet offer faster and more user-friendly. When you visit our website and at any point in time after that, you have the choice of whether to generally allow the setting of cookies or which individual additional functions you wish to select.

Recipients of personal data
We use external service providers, such as hosting service providers, as data processors for the provision of our web pages, which means that they can obtain access to your personal data. When you visit our website, third-party cookies (external content) may also be stored on your end device. These allow us or you to use certain third-party services.

Duration of storage, revocation of consent
Session cookies are automatically deleted at the end of your visit to our website. Permanent cookies remain stored on your device until you delete them or your web browser deletes them automatically. You can find information about the storage period of cookies in the privacy settings.

In the privacy settings, you can also change the cookie settings and in this way revoke your consent, with the exception of consent for cookies that belong to the "Essential" category, since these are technically necessary to ensure the correct display of our web pages. You can configure your browser in such a way that you are informed when cookies are set and only allow cookies in individual cases, exclude the acceptance of cookies in certain cases or in general and activate the automatic deletion of cookies when the browser is closed. Cookies that have already been saved can be deleted via the system settings of your browser at any time. If cookies are deactivated, the functionality of this website may be limited.

Web analytics with Matomo Analytics

Processing purposes and legal basis
We use the open-source Matomo web analytics service on our web pages to analyze visitor traffic. No data is transmitted to Matomo. Among other things, Matomo enables us to determine from which web page you came to our website and how often or for how long you visited a sub-page. It is not possible to assign the web statistics to your end device or access point. Only an assignment to individual regions is visible. By evaluating the obtained data, we aim to further improve our web pages and their user-friendliness and adapt them to the needs of website visitors. If you consent to the web analytics by ticking the "Analytics & Performance" box in the privacy settings (Art. 6, para. 1, sentence 1, lit. a) in conjunction with Art. 7 GDPR), your usage behavior is recorded anonymously. Your consent is voluntary and not required for using our web pages.

Data categories and data origin
We use Matomo without setting cookies on your end device.

Instead, Matomo uses the visitor config_id, a random, time-limited hash of a limited set of visitor settings and attributes. The config_id is a string that is calculated for a specific visitor based on their operating system, browser, browser plugins, IP address and browser language. The config_id is only valid for a maximum of 24 hours and only for a specific website domain. The config_id calculation changes randomly every 24 hours, which means that the same visitor is assigned a different config_id every day. The config_id is completely anonymized every 24 hours. The randomly generated seed is discarded every day and cannot be restored. The website ID is also to create the config_id, which means that a particular user/visitor always has a different config_id when visiting different websites and domains.

Furthermore, we have configured Matomo in such a way that your IP address is only recorded in shortened form by masking the last two bytes (e.g., 192.168.xxx.xxx). This anonymized IP address is also used for the config_id calculation. We therefore process your personal user data anonymously, and it is not possible for us to draw any conclusions about your person.

Duration of storage, revocation of consent
The data is as soon as it is no longer needed for our logging purposes. We have configured Matomo in such a way that it deletes the collected analytics data after 6 months.

You can revoke your consent to data processing via Matomo at any time with effect for the future by unchecking "Analytics & Performance" here.

Login options

Processing purposes and legal basis
We offer our customers the opportunity to log in to restricted areas in order to use additional services such as shipment recording and tracking. Registration is usually done through us. 

The data is processed for the purpose of implementing the user relationship established by the registration and, if necessary, for initiating or implementing further contracts. The legal basis is Art. 6, para. 1, sentence 1, lit. b) GDPR.

Data categories and data origin
When you use the restricted areas, we collect and process your personal data that is necessary for the fulfilment of the contract, such as your name, contact details, address data and the data necessary for your identification and use.

Recipients of personal data
If we use external service providers as data processors to provide these services, they may have access to your personal data.

Duration of storage
We process and store your personal data as long as it is necessary to achieve the above-mentioned purposes. In certain cases, personal data may be stored for the period of time during which legal claims may be asserted, exercised or defended (statutory limitation periods of three to thirty years). In addition, we store your personal data if and to the extent that we are legally obliged to do so. Corresponding record-keeping and data retention obligations arise, for example, from commercial, tax and social security regulations. The storage period for data stored under tax and commercial law according to Section 147 of the Federal Taxation Regulation (AO), Section 257 of the Federal Commercial Code (HGB) is normally 6 or 10 years to the end of a financial year.

Newsletter service, newsletter analysis

Processing purposes and legal basis
We offer you the option to register for our free e-mail newsletter service and thereby regularly receive e-mails from us with information about our services to the e-mail address provided by you. The legal basis for processing of your personal data is your consent according to Art. 6, para. 1, sentence 1, lit. a) GDPR. This consent may be revoked at any time with effect for the future. When you register for the newsletter, we document the issued consent on the basis of Art. 6, para. 1, sentence 1, lit. f) GDPR. Newsletter analysis by means of link tracking enables us to analyze the success of our newsletter campaigns and determine, for example, whether the newsletter was opened at all or whether any links were clicked. In this way, we can determine, for example, what content in our newsletter was particularly appealing to recipients. The newsletter analysis is carried out with anonymized data so that the data cannot be linked to any individual persons. Unfortunately, it is not possible to object to the newsletter analysis separately. Please unsubscribe from our newsletter service if you do not wish to participate in the newsletter analysis.

Data categories and data origin
When you register for the newsletter service on our website, the data from the contact form is transmitted to us. To register for the newsletter, it is sufficient to enter your e-mail address. Optionally, we ask you to enter your salutation, first and last name and company name so that we can address you personally in the newsletter. We use the so-called double opt-in procedure for the registration process. After registration, you receive an e-mail with a confirmation link. You are included in the newsletter mailing list only after this link has been clicked. In this way, we prevent unauthorized third parties from registering with your e-mail address. We maintain records for the registration process in order to comply with the legal requirements. The data from the contact form as well as the date and time of the registration confirmation are stored.

Recipients of personal data
We use an external service provider as a data processor who processes your personal data on our behalf for the provision of newsletters and for newsletter analysis.

Duration of storage
If you do not confirm your registration to our newsletter service after receiving the corresponding registration e-mail, your information is deleted automatically after 30 days. We process your personal data for the duration of the newsletter subscription. You can cancel the subscription at any time with effect for the future and in this way revoke your consent to receive newsletters/object to the processing of your personal data for advertising purposes. A corresponding unsubscribe option is provided for this purpose on our website and in every newsletter. After revocation of your consent/objection to advertising, no further newsletters will be sent out to you and your personal data will be removed from our active mailing list.

Friendly Captcha

Processing purposes and legal basis
We use "Friendly Captcha®" bot/spam protection from Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany, ("the provider") to check whether data is entered on our website by a human or by an automated program. You can find more information on this at: https://friendlycaptcha.com/legal/privacy-end-users/

Data is processed on the basis of Art. 6, para. 1, sentence 1(c) in conjunction with Art. 32, para. 1 of the GDPR. We have an order processing contract with the provider in accordance with Art. 28 para. 3 of the GDPR.

Data categories and data origin
When you visit a website that contains the Friendly Captcha widget and sends a puzzle request, the following log data is processed:

• the request header User-Agent, origin, and referrer,
• the puzzle itself, which contains information about the account and website key to which the puzzle relates,
• the widget version,
• a timestamp,
• anonymized IP Address,
• anonymized meter per IP Address.

Duration of storage
If personal data is processed, it will be deleted at the latest after 30 days.

External links

Our web pages contain links to third-party websites. When you click these links, you leave our sphere of influence. The responsibility for the processing of personal data lies with the respective operators of the linked websites. We recommend that you read the applicable notes on data processing there before using linked websites.

OpenStreetMap

We include maps of the OpenStreetMap service of the OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom as external content on our web pages in order to make our web pages more appealing and interesting.

If you consent to the privacy settings by ticking off the "External content" box (Art. 6, para.1, sentence 1, lit. a) in conjunction with Art. 7 GDPR), a connection is established to the servers of the provider and your IP address is automatically transmitted to the provider to enable the display of the maps and the map functions. We have no influence over the data processing operations at OpenStreetMap. For more information on data processing by Open Street Maps, please visit https://wiki.osmfoundation.org/wiki/Privacy_Policy.

The consent is voluntary. However, we would like to point out that you cannot use this function without providing your consent. 

You can revoke your consent at any time with effect for the future, e.g., by unchecking "External content" in the privacy settings. 

Social Media

The LinkedIn, Xing and Instagram logos displayed on our web pages are linked to our respective profiles on these social networks, but no data transmission to these social networks takes place through the integration of these logos. If you click any of the logos, you will be redirected to the external website of the respective social network. Notes on data processing via our profiles within the social networks can be found in our "Social Media Privacy Policy.

Youtube

Within our website, we use with your consent in accordance with § 25 para. 1 TTDSG in conjunction with. Art. 4 No. 11, Art. 7 DSGVO, we use the YouTube embedding function of Google Ireland Limited to display and play YouTube videos. Any processing of your personal data associated with the embedding takes place on the basis of your consent pursuant to Art. 6 para. 1 sentence 1 lit. a) DSGVO. Pursuant to Art. 49 (1) sentence 1 lit. a) DSGVO, your declaration of consent also expressly includes the possible global transfer and processing of data by other group companies of Google LLC. In this regard, we would like to expressly point out any risks, for example, the far-reaching access rights of investigating authorities and the more difficult enforcement of data protection rights.

By displaying the video content, the user's IP address and other browser-related information is transmitted to Google. By embedding the videos in extended data protection mode, no further personal data is processed beyond this. Only when the video is clicked on for viewing is additional information transmitted to Google so that the video content can be displayed. If you are logged in as a user of YouTube, Google assigns this information to your respective personal user accounts.

The purpose and scope of data processing by Google, as well as your rights in this regard and settings options for protecting your privacy, can be found in Google's privacy policy. The consent is voluntary. However, we would like to point out that you cannot use this function without providing your consent. You can revoke your consent at any time with effect for the future, e.g., by unchecking "External content" in the privacy settings. 

We provide a platform for tracking and recording consignments under the name myStreck.

myStreck consignment tracking can usually be used without registration and login. However, registration and login are required in order to use the consignment recording and extended consignment tracking functionalities. This service is available exclusively to entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB) who are our business partners or legal entities who are business partners of Streck Transport AG.

Information on joint responsibility pursuant to Article 26, Section 2 (2) of the EU General Data Protection Regulation (GDPR)

We, Streck Transportgesellschaft mbH and Streck Transport AG, Industriestrasse 30, 4313 Möhlin,⁠Switzerland, work in close cooperation on the myStreck platform. This also applies to the processing of your personal data. The Parties have jointly determined which of them fulfils which obligation under the GDPR, in particular with regard to the exercise of the rights of the data subject, and who fulfils which information obligations under Articles 13 and 14 of the GDPR. As such, they are jointly responsible for the protection of your personal data within the processes described below (Article 26 of the GDPR).

Within the scope of their joint responsibility under data protection law, the Parties have agreed that each Party shall be separately responsible, within the scope of the personal data collected by them in each case, for the fulfilment of the information obligations pursuant to Article 13 or 14 of the GDPR and the provision of the essential content of this Agreement pursuant to Article 26, Section 2 of the GDPR. They shall make the information required under Articles 13 and 14 GDPR available to data subjects free of charge in a precise, transparent, comprehensible and easily accessible form in plain and simple language. Each Party shall provide the other Party with all necessary information from their area of responsibility.

All other obligations under the GDPR are fulfilled by Streck Transportgesellschaft mbH. We are central contact points for the assertion of data subject rights in accordance with Articles 15 to 22 of the GDPR. You can find our contact details under the "data controller and data protection officer" section.

Streck Transport AG shall inform us without delay of any legal positions asserted by data subjects pursuant to Articles 15 to 22 of the GDPR and shall provide us with all information necessary for the fulfilment of the rights of the data subjects pursuant to Articles 15 to 22 of the GDPR.

Pursuant to Article 26, Section 3 of the GDPR, data subjects may assert their data protection rights pursuant to Articles 15 to 22 of the GDPR both with Streck Transportgesellschaft mbH and Streck Transport AG.

Visit the "myStreck" website

Processing purposes, legal basis, data categories

When visiting our website "mystreck.streck.de", your browser transmits "server log files" to our server, which may enable identification. The information on processing purposes, legal bases, data categories and data origin corresponds to the information provided above under "visit our website".

Duration of storage 

This data is deleted as soon as it is no longer required for the aforementioned purposes. The log files are currently deleted after 7 days. We also reserve the right to check the files in this respect if concrete indications justify the reasonable suspicion of unlawful use or a specific attack on our website. Data whose further storage is necessary for evidence purposes shall be deleted as soon as they are no longer required for such purposes.

Cookies

Processing purposes, legal basis, data categories

Information on the processing purposes, legal basis, data categories and data origin of cookies can be found above under "visit our website" under the subheading "cookies".

We use the cookie "X-ENV-ClientLocale", which is technically necessary for website operation and to provide your preferred language selection.

When using "myStreck", another technically necessary cookie "X-ENV-SessionToken" is set in order to determine whether you are a recurring user.

Duration of storage

Both cookies are session cookies and are automatically deleted at the end of your visit to our website.

myStreck consignment tracking without login

Processing purposes, legal basis, data categories

We process contract-related data on your consignment including the names and address data of clients, consignors and consignees, current work status, time of delivery as well as consignment-related data such as the number of packages, contents, weight, length, width, height, volume from the transport management systems in order to show you the status of the consignment. This data processing is carried out for the purpose of implementing the transport contract concluded with the client in accordance with Article 6, Section 1 (1), lit. b) of the GDPR. We receive this data from the client, our system partners and carriers.  

Duration of storage

The data is usually kept in the platform for 90 days.

myStreck for registered business partners

Processing purposes, legal basis, data categories

Thanks to the myStreck platform, we offer our business partners and business partners of Streck Transport AG the possibility of logging into the closed area of myStreck after registration to make use of additional services of myStreck's consignment tracking, or to prepare and process transport orders with consignment recording.

As part of the user relationship, we process your personal data required for the initiation and execution of the Agreement, such as name, email address and, if applicable, assignment to the business partner for whom you work. Your personal data is processed for the purpose of initiating and implementing the user relationship established by the registration and, if applicable, for initiating or implementing further contracts. The legal basis for this is Article 6, Section 1 (1), lit. b) of the GDPR.

If you use myStreck for registered business partners, we also process the following usage data in addition to your access data: Date and time of access, IP address, name and version of the web browser you are using in order to ensure and optimise the stability and security of the myStreck consignment tracking platform. The legal basis for this is Article 6, Section 1 (1), lit. f) of the GDPR.

We process personal data of business partners, consignors and consignees, including their contact persons, for the transport contract/order: Contract or order-related data such as name and address data, current work status, time of delivery, proof of delivery as well as consignment-related data such as number of packages, content, weight, length, width, height, volume for the initiation and processing of the transport contract/order pursuant to Article 6, Section 1 (1), lit. b) of the GDPR.

As a user with a login, you can add a profile picture to your user account. By uploading a picture of yourself, you declare your consent pursuant to Article 6, Section 1 (1), lit. a) in conjunction with Article 7 of the GDPR for the processing of your picture for the aforementioned purpose. Insofar as the picture reveals information about your ethnic origin, religion or health (e.g. skin colour, headgear, glasses) and/or the picture contains metadata (date, time, GPS data), your consent also includes this information within the scope of the stated purpose. Consent is given voluntarily. You can revoke your consent at any time without giving reasons with effect for the future, e.g. by deleting your profile picture from your user account. You will not suffer any disadvantage from refusing consent or revoking it.

Duration of storage

We process and store your personal data as long as it is necessary for the fulfilment of the user relationship and legal obligations. In this regard, personal data may be retained for the period of assertion, exercise or defence of legal claims (statutory limitation periods of three to thirty years). Corresponding obligations to provide proof and to keep records result, for example, from commercial and tax law regulations, where the storage period in accordance with Section 147 of the German Revenue Code (AO), and Section 257 of the German Commercial⁠Code (HGB) is usually 6 or 10 years at the end of a financial year.

Currently, the storage period of your log data processed when using myStreck is a maximum of 90 days. 

Data regarding a transport contract/order is available in myStreck for 90 days.

Recipients of personal data

Your personal data will only be disclosed internally to the persons in the departments who require it for the fulfilment of the stated purposes. Furthermore, clients, our system partners, carriers and, if applicable, other third parties involved in the fulfilment of the transport contract, e.g. customs authorities, insurance companies, may receive personal data for these purposes.

We use external service providers as processors for the provision, maintenance and support of myStreck, who may therefore have access to your personal data.  External service providers are carefully selected by us and we conclude commissioned processing contracts in accordance with Article 28 of the GDPR with all service providers who process personal data on our behalf.

Verarbeitungszwecke sowie Rechtsgrundlage
When you contact us (e.g., via our contact form, by e-mail, by telephone), the personal data provided by you is processed and stored for the purpose of processing your request or establishing contact with you. If your request requires the involvement of another company in our group of companies in order to process your request in the best possible way, it may be necessary to share your request-related data with this company.

The legal basis within the scope of contractual/pre-contractual relationships is Art. 6, para. 1, sentence 1, lit. b) GDPR and for other requests, your consent in accordance with Art. 6, para. 1, sentence 1, lit. a) GDPR or our overriding legitimate interest in the efficient, customer-friendly processing of your request in accordance with Art. 6, para. 1, sentence 1, lit. f) GDPR, as long as this is done in accordance with the data protection requirements.

Data categories and data origin
We process the data provided by you (e.g., your e-mail address, your name, your telephone number). Please only send us the data and information necessary to process your request.

Recipients of personal data
In individual cases, your request may concern a company of our group of companies that is located outside the EU/EEA (Switzerland). In these cases, we will only forward your data with your consent (Art. 49, para. 1, sentence 1, lit. a) GDPR) or if this is expressly stipulated in the contract with you or your company (Art. 49, para. 1, sentence 1, lit. b,c) GDPR).

Duration of storage
If your request is associated with a contract, we will delete your personal data after the end of the contract term. Otherwise, we will delete your personal data if you withdraw your consent and we no longer have a legal obligation or a legitimate interest in processing your data.

Processing purposes and legal basis
We process personal data in accordance with the provisions of the GDPR and the national data protection regulations:

a) On the basis of your consent (Art. 6, para. 1, sentence 1, lit. a) GDPR)
Insofar as you have given us your consent to process your personal data for certain purposes in individual cases (e.g., to access video and photo content, to subscribe to our newsletter), this processing is lawful on the basis of your consent. Your consent may be revoked by you at any time with effect for the future.

b) Within the scope of contract fulfillment or for the implementation of pre-contractual measures (Art. 6, para. 1, sentence 1, lit. b) GDPR)
We process personal data primarily for the fulfilment of contractual obligations and the provision of the associated services or within the scope of a corresponding contract initiation (e.g., contract negotiations, preparation of an offer). The specific purposes here depend on the respective service to which the business relationship or the contract initiation refers, in particular in connection with orders from customers. We also process personal data when executing the provided services, in particular with regard to invoices, accounts receivable management, payment reminders and debt collection.

In particular, data is processed for the following purposes:

• Initiation, implementation and execution of transport, forwarding and logistics services, including land transport, air and sea freight, logistics and outsourcing, supply chain management and customs management
• Within the scope of the provided services, in particular transport and logistics services, personal data is processed on the basis of contracts concluded with you, the senders or the recipients. This data is used, for example, for the execution of (transport) contracts, for the management of customer data, for payment processing and, if necessary, for the execution of creditworthiness checks. Certain shipment data is provided to the authorities of transit or destination countries for customs and tax clearance or for security screening, as required by the laws of the respective countries. Such data usually includes the name and address of the consignor, the name and address of the consignee, a description of the goods, the number of items, the weight and value of the consignment.
• Communication with customers, service providers, subcontractors, business partners and authorities
• Support, in particular for the purpose of responding to inquiries from our contact persons, interested parties, customers or partners
• The organization, planning, implementation and management of the business relationship between us and our customers, suppliers and business partners as well as our affiliates and cooperation partners.

c) Due to legal obligations (Art. 6, para. 1, sentence 1, lit c) GDPR) in conjunction with the respective special legal regulation).

The purposes of the processing include, among others,

• the fulfilment of tax and social security control and reporting obligations. This also includes statutory reporting obligations for the provision of services and the posting of employees abroad in accordance with A1 procedures.
• Implementation of the technical and organizational measures according to Art. 32 GDPR.
• Sanctions list comparison with international sanctions lists, supranational sanctions lists of the EU and national sanctions lists of EU and EEA member states.
• Compliance with aviation safety regulations. This also includes the implementation of the reliability check (ZÜP).

d) To safeguard legitimate interests (Art. 6 para. 1, sentence 1, lit. f) GDPR)
If necessary, we process your data beyond the actual fulfillment of the contract in order to safeguard our legitimate interests or those of third parties, namely:

• Data processing for the purposes of ensuring security, quality assurance and process optimization: To the extent permitted by law, we process the personal data collected in the course of contract fulfillment for (data) security purposes (e.g., for the purpose of detecting criminal offences or misuse), for compliance measures, including data comparison with other global sanctions lists than those listed under c), for the creation of statistics as well as for quality assurance, process optimization and planning security on the basis of our legitimate interest in ensuring a smooth operation and the continuous improvement of the respective products and services. Based on our assessment, there is no overriding legitimate interest of the data subjects, because the intensity of the impact of processing is minimized as much as possible, for example through the use of pseudonyms. The legal basis for this data processing is Art. 6, para.1, sentence 1 lit. f) GDPR.
• Settlement of disputes, enforcement of existing contracts and the assertion, exercise and defense of legal claims
• Maintaining and protecting the security of our systems and IT operations
• Measures for building security and system security (e.g., access control or video surveillance)
• Exchange of control and planning data
• Creditworthiness checks
• Sales and marketing activities
• Customer care and communication with potential clients 

Data categories and data origin
(a) The categories of processed personal data include:

• Master data (salutation, first and last names, address, function, department)
• Contact details (telephone number, mobile number, fax number and e-mail address)

• Company-related data

• Contract data (services used, contract content, contractual communication, names of contact persons)
• necessary data for the processing of requests, possibly also creditworthiness data
• CRM data, in particular customer history, customer statistics
• Advertising and sales data and other data from comparable categories
• Support requests
• Other information required for the fulfillment of our contractual relationship or a project with our customers or sales partners (such as payment data, order data, etc.)
• when our online services are used, the IP address, the data required for your identification and use, the time of the respective user action
• for access control purposes, photo for identification and access zones, if applicable

b) We process personal data that we have obtained from business relationships (for example with customers or suppliers) or inquiries. We usually receive this data directly from the contractual partner or the person making the inquiry. However, personal data can also originate from public sources (e.g., the commercial register) to the extent that the processing of such data is permitted. Personal data may also have been transmitted to us by other companies. Depending on the individual case, we also store our own information for this data (e.g., within the scope of an ongoing business relationship).

Obligation to provide data
Within the scope of contract initiation or implementation, you must provide the personal data that is necessary for the implementation of pre-contractual measures and for the fulfilment of the contract and the obligations associated with it. If this data is not provided, we will not be able to conclude a new contract or fulfill an existing contract with you. Furthermore, you must provide the personal data that we are legally obliged to collect and process. In cases where the collection of data is based on consent, the provision of data by you is voluntary and not mandatory.

Recipients of personal data
The persons within our company who receive access to your personal data are the persons who need your personal data in order to fulfil our contractual and legal obligations or to safeguard our legitimate interests.

Personal data is transferred to the third parties involved in the respective order insofar as this is necessary to achieve the purposes of data processing or we have to transmit the data for legal reasons.

We may transfer personal data to courts, authorities or law firms insofar as this is legally permissible and necessary to comply with the applicable law or to assert, exercise or defend legal claims.

Furthermore, service providers and vicarious agents employed by us may receive data for these purposes. We may only pass on information about you if this is required by the statutory provisions, if you have given your consent, if we are legally authorized to provide or pass on information and/or the data processors commissioned by us guarantee compliance with the confidentiality obligations and the requirements of the General Data Protection Regulation and the Federal Data Protection Act to the same extent.

External service providers that process data on behalf of Streck offer sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that the processing is carried out in accordance with the data protection requirements. In accordance with Art. 28 GDPR, they are contractually obliged to maintain strict confidentiality and are bound by instructions. In these cases, we are still responsible for the protection of your personal data.

Under these conditions, the following recipients can receive data

• affiliated companies, as data processors within the scope of financial controlling or data processing
• Customers, suppliers, business and cooperation partners as well as authorities within the scope of order processing and cooperation
• Data processors, in particular cloud services
• IT service providers within the scope of the (remote) maintenance of IT systems
• Subcontractors for order fulfillment, in particular with regard to transport and logistics
• Customers within the scope of business correspondence and order documentation
• Auditors
• Service providers for creditworthiness checks
• Compliance screening service providers
• public authorities for the fulfilment of statutory notification obligations, e.g., tax authorities, competent authorities in A1 procedures
• Data destruction service providers
• Lawyers, tax consultants and auditors
• Debt collection service providers
• Banks, payment card processors (credit cards) and payment service providers
• Telephony providers
• Insurance companies

Data transfers to third countries
Data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is permitted or prescribed by law, if you have given us your consent or if the special requirements of Art. 44 et seq. GDPR are met within the scope of order processing.

Duration of storage
We process and store your personal data as long as it is necessary for the fulfilment of the above-mentioned purposes and, in particular, for the fulfillment of contractual and legal obligations. In certain cases, personal data may be stored for the period of time during which legal claims may be asserted, exercised or defended (statutory limitation periods of three to thirty years). In addition, we store your personal data if and to the extent that we are legally obliged to do so. Corresponding record-keeping and data retention obligations arise, for example, from commercial, tax and social security regulations. The storage period for data stored under tax and commercial law according to Section 147 of the Federal Taxation Regulation (AO), Section 257 of the Federal Commercial Code (HGB) is normally 6 or 10 years to the end of a financial year. If the processing of your personal data is based on your consent, we will delete the data if the consent is revoked by you and there is no other applicable legal basis.

Automated decision-making and profiling
In principle, we do not use fully automated decision-making according to Art. 22 GDPR for the establishment and implementation of the business relationship. No profiling operations take place.

The HR management of Streck Transportges. mbH, E.F.K. Gütertransport GmbH and Cargo Handling Raunheim GmbH is organized in a centralized manner at Streck Transportges. mbH and your application is processed there. You can submit your application by e-mail, regular mail or via the applicant portal on our website.

Processing purposes and legal basis
We process your personal data only for the purposes and within the scope of the application procedure in accordance with the legal requirements of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other relevant laws (e.g., the Works Constitution Act). Your personal data is processed for the purpose of implementing the application procedure and deciding on the establishment of an employment relationship on the legal basis of Art. 6 para. 1 S. 1 lit. b) GDPR. Insofar as special categories of personal data within the meaning of Art. 9, para. 1 GDPR are processed, the processing is done on the basis of Section 26, para. 3, 4 BDSG, unless consent has been granted separately according to Art. 9 para. 2 lit. a), Art. 7 GDPR, Art. 88 para. 1 GDPR i.V.m. Section 26, para. 2 BDSG. The processing of data that you voluntarily provide to us and that is not absolutely necessary for the implementation of the application procedure is based on your consent given through the transmission of the application in accordance with Art. 6, para. 1, sentence 1, lit. a) in conjunction with Art. 7 GDPR for the aforementioned purposes. You can revoke your consent at any time and without specifying any reasons with effect for the future. Your personal data is also processed for the fulfilment of legal obligations according to Art. 6, para. 1, sentence 1, lit. c) GDPR (e.g., sanction list checks on the basis of Art. 6, para. 1, sentence 1, lit. c) GDPR in conjunction with regulations under EU law on economic sanctions as well as other binding international resolutions, (if applicable) reliability testing according to Section 7 of the Federal Aviation Security Act (LuftSiG)) and, if necessary, to safeguard legitimate interests in accordance with Art. 6, para. 1, sentence 1, lit. f) GDPR. These include: ensuring compliance with security regulations, requirements, industry standards and contractual obligations, the assertion, exercise or defense of legal claims. If you participate in the "employees recruit employees" programme, we process your personal data for the purpose of carrying this programme out and to settle the advertising premium with the employee who referred us, in accordance with Article 6, Section 1 (1), lit. b) and f) of the GDPR. Our legitimate interest in this processing is the carrying out of the "employees recruit employees" programme, the expansion of the circle of potential applicants and the increase of our level of awareness as an employer.

Data categories and data origin
The categories of processed personal data include, in particular:

• Master, contact and communication data,
• Data on the content of former/current employment relationships, e.g., work tasks, performance data, occupied positions. (This data may be derived from your cover letter/CV/attached references),
• various other types of information, such as the earliest starting date, regional mobility, desired number of hours and duration of employment, previous employment, additional qualifications, references or information indicating how you became aware of this position,
• other types of voluntarily provided information, such as data on non-professional interests: hobbies, volunteer work
• other data that you voluntarily provide to us during the application process, e.g., in your application letter, CV or certificates, photographs

In addition, we collect and process data as part of personnel screening within the scope of the application process (e.g., police clearance certificates, sanctions list checks, reliability checks, if applicable) and, if applicable, data on health suitability.

As a general rule, your personal data is collected directly from you as part of the application process. You have the option to send us your application via the applicant portal on our website. The data is encrypted and transmitted to us according to the technical state of the art. If you send us your application via e-mail, please note that e-mails are generally not sent in encrypted form and it is up to you to ensure that they are encrypted. We do not assume any responsibility for the transmission of your application until we receive it on our server and therefore recommend that you either use the applicant portal or you send us your application by regular mail. If you use the applicant portal, the required data is marked accordingly; in all other cases, you can find out what data is required from the job description. Under certain circumstances, your personal data may also be collected from other entities on the basis of legal regulations. In addition, we may receive personal data from third parties (e.g., from recruitment agencies), who pass it on to us under their own responsibility.

Obligation to provide data
You are not obliged to provide us with personal data. However, the application process requires that you provide us with the personal data necessary to implement the application process and to assess your suitability. Without this personal data, we cannot consider your application.

Recipients of personal data
Your personal data will only be passed on to the persons and entities (e.g., departments, works councils) who need it for the implementation of the application process, for making the recruitment decision, and for fulfilling our (pre-)contractual and legal obligations and requirements. Furthermore, service providers and vicarious agents employed by us may receive personal data for these purposes. We will only pass on your personal data if this is required by statutory provisions, if you have given your consent, if we are legally authorized to pass it on and/or the data processors commissioned by us guarantee compliance with the confidentiality obligations and the requirements of the General Data Protection Regulation and the Federal Data Protection Act to the same extent.

Data transfers to third countries
Data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is permitted or prescribed by law, if you have given us your consent or if the special requirements of Art. 44 et seq. GDPR are met within the scope of order processing. 

Further processing
If your application is successful, your personal data can be further processed by us for the purposes of the employment relationship.

Within the scope of the application process, we offer you the opportunity to be included in our "talent pool" for a period of two years on the basis of your consent within the meaning of Art. 6, para. 1, sentence 1, lit. a) in conjunction with Art. 7 GDPR.

The application documents in the talent pool are processed exclusively within the scope of future job advertisements and the search for employees and will be destroyed at the latest upon expiry of the above-mentioned period. Your consent to be included in the talent pool is voluntary and does not affect the current application process: you can revoke your consent at any time with effect for the future.

Duration of storage
If the application for a job offer is unsuccessful or your personal data is not necessary for the establishment, implementation and termination of the employment relationship, your personal data will be deleted. Your personal data will also be deleted if your application is withdrawn (you are entitled to withdraw your application at any time).

The deletion will take place, unless we are legally obliged or entitled to store the data for a longer period of time, at the latest upon expiry of a period of six months after the end of the application process in order to ensure that we are able to answer any follow-up questions pertaining to the application and meet our obligations under the General Equal Treatment Act (AGG), unless you have expressly given your consent to the further storage of your personal data for the purpose of being contacted by us in the event of future job advertisements. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.

Automated decision-making and profiling
In principle, we do not use automated decision-making according to Art. 22 GDPR for the initiation and implementation of the application procedure. No profiling operations take place. 

Processing purposes and legal basis
We collect, process and use your personal data in accordance with the applicable data protection regulations only to the extent necessary for the implementation and processing of the prize draw/with the consent of the data subjects. The personal data that has to be provided within the scope of the prize draw is used for implementing and processing the prize draw, for determining and notifying the winners, for enabling the exercise of the granted rights of use and for mailing of the prize. The legal basis for data processing here is the consent of the participants in accordance with Art. 6, para. 1, sentence 1, lit. a) GDPR.

Furthermore, we process personal data in accordance with Art. 6, para. 1, sentence 1, lit. f) GDPR to ensure the proper implementation of the prize draw (e.g., for age verification) and in accordance with Art. 6, para. 1, sentence 1, lit. c) GDPR insofar as this is necessary for the fulfilment of legal obligations. This includes, for example, the obligation to comply with data retention periods under commercial and tax law.

Data categories and data origin
The following data is collected by us within the scope of participation in the prize draw: User ID, possibly contact details. In the event of a win, we have to collect the first and last name, the address data and possibly the date of birth of the winner. This data is sent to us by the data subject via direct message or by e-mail.

Recipients in the event of data transfers
The personal data is only received by persons and departments within our company who need this data in order to implement and process the prize draw and possibly publish the winner(s).

The personal data is only passed on to third parties if and to the extent that this is necessary for the implementation and processing of the prize draw or the transfer or provision of the prize.

Duration of storage
We process and store the personal data of the data subjects as long as this is necessary for the fulfilment of the above-mentioned purposes and, in particular, for the fulfillment of contractual and legal obligations. If the data is no longer necessary for the fulfilment of the purposes, it is deleted on a regular basis, unless its temporary further processing is necessary (due to the application of statutory retention periods or for safeguarding our legal claims). However, posts on social media platforms may remain and continue to be publicly visible. If the data processing is based on consent, we will delete the respective data if the consent is revoked by the data subject and there is no other applicable legal basis.

In order to actively communicate with users and to provide information about our company, we maintain a number of different social media profiles, partly under joint responsibility with social network operators listed below.

The use of social media is not required to communicate with us or to obtain information about our company. The information that we publish about these services is also available in the same or a similar way here: https://www.streck-transport.de. You can get in touch with us at any time via kommunikation@streck.de. We would like to point out that you use the services offered here and their functions under your own responsibility.

Please note that when you use our social media profiles in the social networks mentioned below, the social network operators may potentially process your personal data outside the European Union and outside the European Economic Area. This can result in potential risks for users, e.g., by making it more difficult for data subjects to enforce their data protection rights. At the same time, however, we would like to point out that, to the extent that this is supported by the operators of the social networks, we strive to work towards the conclusion of agreements on joint responsibility in accordance with Art. 26 GDPR and of standard data protection clauses in accordance with Art. 46, para. 2, lit. d GDPR.

In addition, we would like to draw attention to the fact that social network operators usually process the personal data of users for their own market research and advertising purposes. Any usage profiles generated from usage behavior can be used to display interest-based advertisements outside the social networks. For this purpose, the operators of social networks generally store cookies on the users' computers so that device information, user behavior and user interests can also be processed if the users do not have profiles in the respective network.

You can find more information in this regard and with regard to potential options to lodge an objection in the privacy policies and in further information provided by the respective operators of social networks, which we have linked for you below.

The following also applies to the processing of personal data:

Processing purposes and legal basis
Insofar as data is processed under our responsibility, it is processed for the purposes of information provision, communication, marketing and reach measurement. The operation of social media profiles is based on our legitimate interest according to Art. 6, para. 1, sentence 1, lit. f GDPR, whereby the respective interests arise from the aforementioned purposes.

Categories of data
The processed data categories include basic personal data (e.g., names), contact data (e.g., e-mail addresses), content data (e.g., text entries), usage data (e.g., interest in content) as well as meta and communication data (e.g., device information and IP addresses).

Storage period
The data categories processed by us are stored solely within the respective social network. In most cases, we have no influence over the specific storage period, because this period is determined by the social network providers. You can find more information in this regard in the privacy policy of the respective provider. If the storage period can be influenced by us in individual cases, the data is deleted after the purpose has been fulfilled in compliance with the statutory retention obligations.

Services and service providers used by us and network-specific information
Below, we inform you about the services and service providers we use as well as about network-specific information by stating the respective responsible bodies within and outside the EU / EEA. We do not transfer any further data.

Instagram, Facebook Ireland Limited / Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA

• Privacy information

LinkedIn, LinkedIn Ireland Unlimited Company / LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085 USA

• Privacy information
• Possibility to object against targeted advertisements

YouTube, Google Ireland Limited / Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

• Privacy information
• Possibility to object against targeted advertisements
• Browser add-on to disable Google Analytics

Xing / kununu, New Work SE

• Privacy information
• Possibility to object against tracking and other analyses of user data

Notes on data subject rights
With regard to the assertion of data subject rights, we would like to point out that the notices should be addressed directly to the respective social network operators so that comprehensive measures can be initiated. Only the operators have access to all of the collected personal data of users and can therefore provide more comprehensive information and institute potential actions. If you need assistance with this, you can, of course, contact our data protection officer at any time.

Processing purposes, legal bases, data categories

Data subject requests

If you assert your data protection rights with us in accordance with Articles 12-22 of the GDPR, we will need to process your personal data in order to process your request, for example, to verify your identity, search our database or correspond with you. This usually involves processing and documenting your details, any information you have given us and correspondence. The legal basis for processing the data subject's request is Article 6, Section 1 (1), lit. c) of the GDPR. If we need to process special categories of personal data in order to process your request, this is done on the basis of Article 9, Section 2, lit. g) of the GDPR. The legal basis for the documentation of the lawful processing of data subject enquiries is Article 6, Section 1 (1), lit. f) of the GDPR. Our legitimate interests are the fulfilment of our accountability, enforcement of legal claims as well as legal defence.

Data breaches

As part of the investigation and processing of a possible data breach, we process the data records that may be affected. When notifying a data breach to the supervisory authority, we process the personal data to be submitted in accordance with the notification form, and when notifying data subjects, we process their contact data. We also process the data to document the data breach. The processing is carried out for the fulfilment of our legal obligations pursuant to Article 6, Section 1 (1), lit. c) in conjunction with Article 33 and 34 of the GDPR. The legal basis for the documentation of the data breach is Article 6, Section 1 (1), lit. f) of the GDPR. Our legitimate interests are the fulfilment of our accountability, enforcement of legal claims as well as legal defence.

Obligation to provide data

You are not obliged to provide us with personal data. However, the implementation of your request requires that you provide us with the personal data that is necessary for this purpose. Without this personal data, we may not be able to process your request in the legally required manner.

Recipients of personal data

Your personal data will only be disclosed internally to those persons and bodies who require it for the review and implementation of the asserted data subject right. Furthermore, service providers, vicarious agents, order processors as well as authorities, legal advisors or courts used by us may receive personal data for these purposes. However, we will only pass on your personal data if we are legally authorised or obliged to do so, and/or if processors commissioned by us equally ensure compliance with the relevant data protection requirements.

Data transfers to a third country

Data transfer to countries outside the EU or the EEA (so-called third countries) only takes place if this is necessary, legally permitted or prescribed and the special requirements of Article 44 et seq. of the GDPR are met.

Duration of storage

Communications and documentation are generally kept for 3 years, starting from the end of the year in which the processing of the request is completed.

Automated decision making and profiling

As a matter of principle, we do not use automated decision making for this purpose. Profiling is not carried out.

Information on joint responsibility according to Art. 26 para. 2 GDPR

The joint data controllers

• Streck Transportgesellschaft mbH, Brombacher Str. 61, D-79539 Lörrach
• Cargo Handling Raunheim GmbH, Brombacher Straße 61, 79539 Lörrach
• E.F.K. Gütertransport GmbH, Brombacher Straße 61, 79539 Lörrach

jointly operate a whistleblower system in accordance with the Whistleblower Protection Act (HinSchG) for natural persons who have obtained information about violations in connection with their professional activities or in advance of a professional activity and wish to report or disclose them, and a complaints system in accordance with the General Act on Equal Treatment (German abbreviation: AGG)) for their employees. In the whistleblower and complaints system, the joint data controllers have jointly determined the purposes and means of processing. The joint data controllers have recourse to a single point of contact and a single reporting point for this purpose.

The joint data controllers have determined that Streck Transportgesellschaft mbH is responsible for:

• Provision of a contact person for the single reporting point and, in the event that this contact person is the subject of a report, an additional contact person
• Receipt and processing of reports by the contact person, which the single reporting point forwards to the contact person
• if necessary, data transfer to one of the other joint data controllers or to third parties to process the report

In this respect, Streck Transportgesellschaft mbH is responsible for the processing of personal data. For the other processing activities, each party is an independent data controller within the meaning of Art. 4 No. 7 GDPR.

Within the scope of their joint responsibility under data protection law, the parties have agreed that each party shall be responsible separately, within the scope of the personal data collected by it, for fulfilling the information obligations pursuant to Art. 13 or 14 GDPR and for providing the essential content of this agreement pursuant to Art. 26 para. 2 GDPR. They shall make the information required pursuant to Art. 13 and 14 GDPR available to data subjects free of charge in a precise, transparent, understandable and easily accessible form in clear and simple language. Each party shall provide the other party with all necessary information from its sphere of activity.

Streck Transportgesellschaft mbH is the central point of contact for the assertion of data subject rights pursuant to Art. 15 to 22 GDPR.

The other joint data controllers shall inform Streck Transportgesellschaft mbH immediately of legal positions asserted by data subjects pursuant to Art. 15 to 22 GDPR and provide it with all information necessary for the fulfilment of the rights of data subjects pursuant to Art. 15 to 22 GDPR.

Pursuant to Art. 26 para. 3 GDPR, data subjects can assert their data protection rights pursuant to Art. 15 to 22 GDPR with each of the joint data controllers.

If you wish to assert your rights or obtain further information, please contact datenschutz@streck.de, the data controller or its data protection officer using the contact details given above.

Processing purposes and legal bases

The lawyers Claudia Vogel and Dr. Stefanie Heinrich, Egonstraße 51, 79106 Freiburg, perform the task of the single reporting point. Their role is to receive and process reports in accordance with the HinSchG and the AGG, also with the option of assuring confidentiality or the option of an anonymous report.

Privacy policy: vogel-heinrich.eu/datenschutzerklaerung

In the context of a procedure pursuant to the HinSchG or the AGG, personal data may be transmitted to us and processed by us.

Data processing takes place on the basis of your consent pursuant to Art. 6  para. 1 p. 1 lit. a), Art. 7 GDPR, possibly in conjunction with Art. 9 para. 2 GDPR if you have voluntarily consented to the transfer of your personal data from the reporting point to us and to fulfil our legal obligations pursuant to Art. 6 para. 1 p. 1  lit. c) GDPR in conjunction with §§ 10, 11, 12 HinSchG, §§ 12, 13 AGG.

For employees, the legal basis for the processing of data can also be derived from Art. 6 para. 1 p. 1 lit. b) GDPR (execution of the employment contract) or from Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sentence 2 BDSG if there are factual indications to be documented that justify the suspicion that the employee has committed a criminal offence in the employment relationship, the processing is necessary for detection and the employee's legitimate interest in excluding the processing does not prevail.

If necessary, we also process your personal data to protect legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f) GDPR, such as for the assertion, exercise or defence of legal claims, insofar as this is not contrary to the overriding legitimate interests and fundamental freedoms of the data subject.

If and to the extent that special categories of personal data are processed, this shall only be done in compliance with the applicable data protection regulations of Art. 9 para. 2 to 4 GDPR.

Data categories and data origin

Only the personal data that is objectively necessary for the purposes of the respective procedure and that is disclosed by the whistleblower or complainant is processed. In particular, this can include the following data categories:

• Personal master data
• Operational data
• Occupational data
• Note data

We receive your personal data either from the reporting point or as part of the procedure following the report.

Obligation to provide data

You are not obliged to provide us with your personal data. The reporting point commissioned by us will only transmit personal data of the reporting person to us with their consent.

Recipients of personal data

We treat your personal data confidentially, insofar as this is possible and permissible. We only pass on your personal data to third parties if there is a legal basis for this or if you have previously given your consent to the corresponding data transfer. In the context of proceedings under the HinSchG or AGG, the following recipients in particular may be considered, insofar as this is necessary to clarify the facts and to define and implement follow-up measures in accordance with § 18 HinSchG, § 12 AGG:

• Specialist departments of those responsible or other companies
• the single reporting point
• Authorities and other government agencies
• External service providers such as lawyers or processors

Transmission of data to a third country

A data transfer to countries outside the EU or the EEA (so-called third countries) only takes place insofar as this is permitted or prescribed by law or the data subject has given consent and the special requirements of Art. 44 et seq. of the GDPR are met. 

Duration of storage

Personal data collected in connection with a report that is not relevant to the procedure will be deleted immediately. In addition, the personal data collected is generally deleted in accordance with §§ 195, § 199 para. 1 BGB, § 11 HinSchG after three years, insofar as no longer storage is necessary and proportionate to meet the requirements of the HinSchG, the AGG or other legal provisions. 

An extension of the storage period may occur, for example, if and insofar as the personal data is necessary for the assertion, exercise or defence of legal claims. 

Automated decision-making and profiling

Neither automatic decision-making nor profiling pursuant to Art. 22 GDPR takes place.

We reserve the right to adapt our notes on data processing at any time in accordance with changes to our services, the way your personal data is processed or the applicable law. Therefore, always make sure to consult the most current version of our notes on data protection.