Data protection information for external service providers
The present notes pursuant to Art. 13 ff. GDPR on data protection serve the duty to inform when collecting personal data from external service providers of goetzpartners Group, i.e. goetzpartners Holding AG and its affiliated companies.
All of the following personal designations refer to members of all genders.
Table of Contents
1. Name and contact details of the person responsible
2. Contact details of the data protection officer
3. Purposes for which the personal data are to be processed and the legal basis for the processing
3.1 Data processing for the fulfillment of the contract concluded between you and us (Art. 6 para. 1 lit. b GDPR)
3.2. Data processing for the performance of a contract with legal entities (Art. 6 para. 1 lit. f GDPR)
3.3. Data processing for the management of IT systems (Art. 6 para. 1 lit. f GDPR)
4. Obligation to provide data
5. Recipients of data and data sources
5.1 Categories of recipients of data
5.2. Data sources
6. Data transfer to a third country
7. Automated decision making including profiling
8. Storage period and criteria for determining the duration
9. Information on your data subject rights
10. Right of appeal to a supervisory authority
1. Name and contact details of the person responsible
GP Holding GmbH
Prinzregentenstr. 56
80538 Munich
Germany
(hereinafter "goetzpartners", "we", "us").
2. Contact details of the data protection officer
Holzhofer Consulting GmbH
Martin Holzhofer
Lochhamer Str. 31
82152 Planegg
Germany
Tel.: (+ 49) (0 89) 1 25 01 56 00
3. Purposes for which the personal data are to be processed and the legal basis for the processing
3.1 Data processing for the fulfillment of the contract concluded between you and us (Art. 6 para. 1 lit. b GDPR)
As a matter of principle, we process your personal data for the purpose of establishing and implementing a contract for services or work with you. The legal basis for this is Art. 6 para. 1 lit. b GDPR, provided that the contracting party is the data subject.
In order to be able to fulfill the service or work contract, we process, as well as, if applicable, third parties or processors assigned by us, the following data from you, insofar as you have provided us with these in the course of the contractual negotiations or the data accrue in the course of the contractual relationship. These are:
- personal data (first name, last name, address, telephone, e-mail address, mobile phone number)
- bank data (esp. account number/IBAN) for transfer of remuneration
- if applicable, information on possible previous employment
- if applicable, other data in: curriculum vitae, employment references, certificates for the assessment of qualification
Health data may be requested as far as required by law, e.g. under the German Infection Protection Act (Infektionsschutzgesetz; IfSG). The provision of further health data is voluntary on the basis of your consent.
All consent is voluntary and can be withdrawn from goetzpartners at any time.
3.2. Data processing for the performance of a contract with legal entities (Art. 6 para. 1 lit. f GDPR)
In order to be able to carry out and maintain the business relationship, in particular to carry out the preparation and fulfillment of the contract, we process, as well as, if necessary, third parties or processors assigned by us, the following data:
- Contact information of the contact person and, if applicable, further employees of the service provider
- First name, last name
- business address
- Business phone number
- business mobile phone number
- business email address
- Further information whose processing is required in the course of a business relationship with goetzpartners or which is provided voluntarily by our contact persons:
- if applicable, information on qualifications and expertise
- Information collected from publicly available sources, information databases, or credit agencies
The legal basis for the processing of your data is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. A balancing of interests was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in the implementation of pre-contractual measures and the implementation and fulfillment of contracts with service providers. We have a legitimate interest in the initiation, implementation and processing of the business relationship with our service providers, for which the processing of the above data is necessary.
3.3. Data processing for the management of IT systems (Art. 6 para. 1 lit. f GDPR)
If, exceptionally, access to our IT systems becomes necessary for reasons of ensuring IT security needs, further of your data (e.g. name, business e-mail address, business phone number, user ID (e.g. M365 user name and passwort), IP-address, metadata of the documents) will be processed for the administration and security of the IT system (IT-Security). This includes created and archived text documents (e.g. correspondence). This also includes data collected in the course of internet use and use of the internal Wi-Fi.
Without this data processing, secure operation of the system and thus cooperation with our company is not possible.
The legal basis for this is our legitimate interest pursuant to Art. 6 para. 1 lit. f GPDR. A balancing of interests was carried out and came to the conclusion that the interests of the external service providers concerned, among other things due to the technical and organizational measures we have taken, do not outweigh our interests in the proper and trouble-free functioning of the IT system.
4. Obligation to provide data
The provision of personal data is necessary for the conclusion of a contract with a natural person at goetzpartners. Failure to provide would result in the contract not being concluded.
5. Recipients of data and data sources
5.1 Categories of recipients of data
To the extent permitted by law, we share personal data with the following external recipients:
- banks involved in the disbursement
- external service providers for financial accounting
- authorities in the event of reviews/audits
- IT service provider to maintain our IT infrastructure
- lawyers in case of legal advice
- company auditor
- courts
- other third parties in the course of the transfer of functions
For the processing of personal data for the purposes mentioned here (exceptional access to IT systems), we use the following categories of recipients as processors pursuant to Art. 28 GDPR:
- software service provider for hosting and operation of online video conferencing systems
- service provider for hosting servers for the provision of web-based services
- service provider for the operation of the e-mail servers
- software service providers for AI-based cybersecurity software
- other software service providers
5.2. Data sources
We process personal data that we have received from you in the course of concluding a contract (service or work contract) or that you have provided to us in the course of the contractual relationship.
6. Data transfer to a third country
A data transfer to countries outside the EU or the European Economic Area ("Third Countries") or to countries without an adequacy decision results within the scope of administration, development and operation of IT systems.
The transfer is made only on the basis:
- of an adequacy decision of the European Commission pursuant to Art. 45 GDPR.
- of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the Third Country.
- of standard data protection clauses adopted by the Commission in accordance with the examination procedure pursuant to Art. 93 para. 2 GDPR.
Currently, in connection with the establishment and execution of a service/ or work contract with external service providers, data transfer to countries outside the EU and the European Economic Area ("Third Countries") takes place in the following cases:
- in case of exceptional access to our IT systems: transmission of data to Microsoft Corporation, 1 Microsoft Way, Redmond, Washington 98052-8300, USA amongst others in connection with the use of our video conferencing system.
For the USA, the European Commission has issued an adequacy decision according to Art. 46 Sec. 3 GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. Microsoft is certified under the DPF and thus committing to comply with European data protection principles.
7. Automated decision making including profiling
Your personal data will not be processed by goetzpartners to make automated individual decisions, including profiling, pursuant to Art. 22 para. 1 and 4 GDPR.
8. Storage period and criteria for determining the duration
Personal data will generally only be kept for as long as is necessary to fulfill the purposes stated here or as required by the retention periods stipulated by law.
In the event that a service or work contract is concluded with external service providers, personal data is generally stored for the duration of the contractual relationship. Personal data may also be stored for the performance of a task that is in the public interest or in the exercise of official authority.
In addition, personal data may also be stored for the duration of the exercise or defense of legal claims. For these cases, the data will be stored after termination of the contractual relationship, in principle until the expiry of the statutory limitation period (three years from the origin/knowledge of the claim).
Individual documents may furthermore be retained for a period of up to six years (in accordance with the German Income Tax Act (Einkommensteuergesetz) and the German Tax Code (Abgabenordnung) or for up to ten years respectively (in accordance with the German Commercial Code (Handelsgesetzbuch).
Should exceptionally our Wi-fi be used: When using the internal Wi-fi, log data ("log files") about the type and extent of use of the services will be stored for 24 hours. These include for example the IP address/MAC-address of the user, personal authorization identifiers, location data, as well as the start and end of the respective connection according to date and time, as well as other traffic data necessary for the establishment and maintenance of telecommunications.
9. Information on your data subject rights
The company responsible for processing your data is GP Holding GmbH, Prinzregentenstr. 56, 80538 Munich, Germany, unless otherwise indicated.
You can request information from us at any time (Art. 15 GDPR) about the data stored about you and request their rectification (Art. 16 GDPR) in the event of errors. Furthermore, you may request the restriction of processing (Art. 18 GDPR), the portability (Art. 20 GDPR) of the data provided to us by you in a machine-readable format or request the erasure of your data (Art. 17 GDPR) - insofar as they are no longer required. In addition, you have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 GDPR).
Insofar as we process your data on the basis of consent given by you, you may revoke this consent at any time with effect for the future (Art. 7 para. 3 GDPR). As of the receipt of your revocation, we will no longer process your data for the purposes specified in the consent.
If you wish to exercise your data protection rights, please send your request to:
GP Holding GmbH
Prinzregentenstr. 56
80538 Munich
Germany
E-mail address: info@goetzpartners.com
E-mail address: datenschutzbeauftragter@holzhofer-consulting.de
10. Right of appeal to a supervisory authority
In addition, you can file a complaint with a supervisory authority at any time. The Bayerische Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision), PO box 1349, 91504 Ansbach, Germany, is generally responsible for us. Alternatively, you can approach your local supervisory authority.
Status: June 2024