Data protection
Information

in accordance with the information obligation 
from Art. 12-19, 21 GDPR


Data processing centre/responsible body
DeDeNet GmbH, Scharnhorstplatz 5, 37154 Northeim, phone +49 (0)5551-91405-0, 
e-mail: info@dedenet.de

Contact in the area of data protection
Mr Andreas Sorge, DatCon GmbH | Ingenieurbüro für Datenschutz, Am Osterfeuer 26, 37176 Nörten-Hardenberg, Tel. 05503-9159648, e-mail: sorge(at)datcon.de

 

Processing framework

Categories of personal data that are processed:

  • Applicants/initiative applicants: master data (e.g. CV content, contact, family circumstances, health, knowledge, skills)
  • Employees: Master data (e.g. CV content, contact, family circumstances, health, knowledge, skills), contract and billing data, IT system log data (e.g. firewall, server logs), personal image/video data on company presentations, data for payroll accounting, health data, other data in the context of an employment relationship (e.g. working conditions, working hours)
  • Customers: Contract data, master data, invoice data, services or products ordered
  • Employees of the customer: Master data, communication content
  • Interested parties: Contact data, communication content
  • Business partners/employees of the business partner: contract data, master data, communication content, information in the context of contract processing
  • Participants in a video conference (e.g. "MS Teams"): First name, surname, email address, topic if applicable, participant IP addresses, MP4 file of video, audio and presentation recordings (for optional recordings), information on incoming and outgoing telephone number (for telephone dial-in), content of chat histories

Purposes for which the personal data is processed:

  • Applicants/initiative applicants: Examination of the application
  • Employees: Processing of all necessary and required measures in an employment relationship (e.g. maintaining your personnel file; payroll accounting; analysing and assessing your work performance and results and preparing references; conducting employee training; conducting disciplinary proceedings); ensuring that operations run as smoothly as possible, marketing (image/video data on website and/or other online platforms for external presentation, employee motivation when introducing new employees on e.g. "notice board")
  • Customers: Contract fulfilment
  • Employees of the customer: Contract fulfilment
  • Interested parties: Exchange of information, business initiation
  • Business partners/employees of the business partner: contract fulfilment (e.g. commissioned services, orders)
  • Participants in a video conference (e.g. "MS Teams"): Online meetings, telephone conferences, video conferences

Legal basis for processing in accordance with Art. 6 para. 1 GDPR:
(Depending on the type of data processing, different legal bases apply to the respective groups)

  • Applicants/initiative applicants: Implementation of pre-contractual measures, consent if necessary (e.g. forwarding of the respective data)
  • Employees: Fulfilment of a contract or for the implementation of pre-contractual measures, possibly consent (e.g. photos on websites), fulfilment of a legal obligation (e.g. requirements by the tax authorities), protection of legitimate interests (e.g. logging in the context of defence against cyber risks)
  • Customers: Fulfilment of a contract or for the implementation of pre-contractual measures, fulfilment of a legal obligation (e.g. requirements by the tax legislator), protection of legitimate interests (e.g. logging in the context of defence against cyber risks)
  • Employees of the customer: Protection of legitimate interests
  • Interested parties: Implementation of pre-contractual measures, protection of legitimate interests (e.g. logging in the context of defence against cyber risks)
  • Business partners/employees of the business partner: fulfilment of a contract or for the implementation of pre-contractual measures, fulfilment of a legal obligation (e.g. requirements by the tax authorities)
  • Participants in a video conference (e.g. "MS Teams"): Protection of legitimate interests (e.g. logging in the context of defence against cyber risks), consent to processing (for more information, see "Participation in an online meeting" below)

Duration for which the personal data is stored:
(depending on the purpose, data type and target group)

  • Contract duration, legal deadlines, withdrawal of consent (if necessary), objection to data processing, duration of the online meeting

There is no automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR.

 

Disclosure, source and foreign reference

Recipients or categories of recipients of the personal data (depending on the target group):

  • Basic recipients
    Tax consultants, internal use (e.g. HR, IT), authorities (e.g. tax authorities), banks, insurance companies (e.g. in the context of accidents or insurance claims), external service providers (e.g. support as processor)
  • Other recipients (depending on the target group):
    - Own employees: for image data (provider, marketing agency, photographer)
    - Customers and, if applicable, employees of customers: Subcontractors and cooperation partners (if contractually regulated or clarified)
    - Participants in a video conference: Participants, provider

Sources of data collection:

  • Direct / through clients / public sources

Data processing outside the European Union

Data processing outside the European Union (EU) does not take place as we have limited our primary storage location to data centres in the European Union. However, we cannot rule out the possibility that data from some applications may be routed via internet servers located outside the EU. This may be the case in particular if, for example, participants in "online meetings" are located in a country outside the EU.
There is also a possible risk that authorities may view and process your data for control or monitoring purposes due to a foreign jurisdiction. This may also occur without any further legal remedies.

 

Microsoft Bookings

You have the option of making appointments with us using Microsoft Bookings (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland). The data entered will be used for the planning, realisation and, if necessary, follow-up of the appointment. The appointment data is stored for us on the Microsoft Bookings servers. The data you enter will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Mandatory statutory provisions - in particular retention periods - remain unaffected. The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. for device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA.

 

Participation in an online meeting

Participation in such an event is voluntary. By registering, you consent to data processing (including US data transfer). You can decide at any time whether you wish to transmit images and/or sound during the event. If and insofar as you actively decide in favour of this, this consent also includes the transfer and processing of special categories of personal data (e.g. wearers of glasses, physical limitations, speech impediments, wearers of religious symbols). By participating, you also consent to a possible recording and, if applicable, dissemination of the event. Both will of course be communicated in advance.

  • Microsoft Teams
    We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in the Microsoft Teams privacy policy: privacy.microsoft.com/de-de/privacystatement.
    The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: www.dataprivacyframework.gov/s/participant-search/participant-etail
  • Order processing (use of tools in the context of online meetings)
    We have concluded an order processing agreement (AVV) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which guarantees that it processes the personal data of the data subjects only in accordance with our instructions and in compliance with the GDPR.
  • Legal basis for data processing in the context of online meetings:
    - Insofar as personal data of employees of the company are processed, Section 26 BDSG is the legal basis for data processing.
    - If, in connection with the use of the video conferencing software, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component of the use of the video conferencing software, Art. 6 para. 1 lit. f GDPR is the legal basis for data processing. In these cases, our interest lies in the effective organisation of "online meetings".
    - Otherwise, the legal basis for data processing when conducting "online meetings" is Art. 6 para. 1 lit. b GDPR, insofar as the meetings are conducted within the framework of contractual relationships.
    - If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f GDPR. Here too, we are interested in the effective organisation of online meetings.

 

Rights of data subjects

  • You have the right to revoke your consent to us at any time in accordance with Art. 7 para. 3 GDPR. The consequence is that we may no longer continue the data processing that was based on this consent in the future;
  • You have the right pursuant to Art. 15 GDPR to request information about your personal data processed by us.
  • In accordance with Art. 16 GDPR, you have the right to demand the immediate correction of incorrect or incomplete personal data stored by us;
  • In accordance with Art. 17 GDPR, you have the right to request the deletion of your personal data stored by us, provided that there are no other reasons, such as fulfilment of a legal obligation or defence of legal claims, to the contrary.
  • You have the right to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR.
    If your personal data is processed on the basis of Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, provided there are reasons for this arising from your particular situation.
  • The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Art. 19 GDPR to each recipient to whom the personal data have been disclosed.
  • In accordance with Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller.
  • In accordance with Art. 22, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
  • You have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
    Lower Saxony supervisory authority
    Prinzenstraße 5, 30159 Hanover, phone: 05 11/120-45 00, fax: 05 11/120-45 99, email: poststelle@lfd.niedersachsen.de, website: https://www.lfd.niedersachsen.de
    Supervisory authorities of all federal states:
    https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

 

Status March 2025