Information requirements according to Art. 13 GDPR
We herewith aim to provide you with full details of how your data is processed in our company and the data protection rights you have in accordance with the European General Data Protection Regulation (EU GDPR).
Alte Weilheimer Str. 2-4
Telephone: +49 (0)8157 92 510
1. Who is responsible for data processing and whom can you contact?
The corporate data protection officer of PACKSYS GmbH is
Mr. Fabian Fromm
Projekt 29 GmbH & Co. KG
Telephone: +49 (0)941 2986930
2. Which data is processed and from which sources does this data come from?
We process the data that we have received from you in the context of initiating or processing a contract on the basis of consent, or in the context of your application to us, or in the context of your employment with us.
The scope of any such personal data includes:
Your master/contact data; for customers this includes, for example, first name and surname, address, contact details (e-mail address, telephone number, telefax number), bank details.
In the case of applicants and employees, this includes, for example, first name and surname, address, contact details (e-mail address, telephone number, fax), date of birth, data from CV and references, bank details, religious affiliation, photographs.
With regard to business partners, this includes, for example, the name of your legal representative, company, commercial register number, VAT ID number, company registration number, address, details of the contact person (e-mail address, telephone number, telefax number), bank details.
For visitors to our company, this includes name and signature.
For journalists, this includes first name and surname, e-mail address, telefax number.
For raffle participants, this includes first name and surname, e-mail address.
In addition, we also process the following additional personal data:
- information on the type and content of contract data, order data, sales and document data, customer and supplier history as well as consulting documents;
- advertising and sales data;
- information from your electronic communication with us (e.g. IP address, log-in data);
- any other data that we have received from you in the course of our business relationship (for instance, in customer discussions):
- any data that we generate ourselves from master/contact data and other data, for example, on the basis of customer demand and customer potential analyses;
- the documentation of your declaration of consent for the receipt of newsletters, for example;
- photographs taken during events.
3. For what purposes and on what legal basis will the data be processed?
We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) 2018, as amended:
- for compliance with (pre-)contractual obligations (Art 6 (1) (b) GDPR):
Your data will be processed for the purpose of processing contracts on-line or in one of our branches, for the purpose of processing contracts for your employee relationship with our company. In particular, data is processed when initiating and maintaining business relations and executing contracts with you, for example in the following cases:
- for compliance with legal obligations (Art 6 (1) (c) GDPR):
Your data has to be processed for the purpose of meeting various statutory obligations, for example as laid down in the German Commercial Code or the Tax Code.
- to protect legitimate interests (Art 6 (1) (f) GDPR):
Owing to the balancing of interests, data may be processed beyond the actual scope required to execute the contract in order to protect either our own legitimate interests or those of third parties. Data processing to protect legitimate interests may include the following cases, for example:
– advertising or marketing (see No. 4);
– measures for business management and the further development of services and products;
– maintenance of a company-wide customer database to improve customer service;
– in the context of legal proceedings;
– mailing of non-promotional information and press releases;
– video surveillance/video recording of image data in outdoor and indoor areas.
- within the scope of your consent (Art 6 (1) (a) GDPR):
If you have given us consent to process your data, e.g. to send you our newsletter, publish photos, raffles, etc.
4. Processing of personal data for advertising purposes
You can object to the use of your personal data for advertising purposes at any time, either in respect of all or individual measures, without incurring any costs, other than the data transmission costs at your standard rate.
We are entitled, under the legal conditions of Section 7 (3) UWG (Protection against Unfair Competition Act), to use the e-mail address you provided when concluding the contract for direct advertising for our own similar goods or services. You will receive these product recommendations from us, regardless of whether or not you have subscribed to a newsletter.
If you no longer wish to receive product recommendations from us by e-mail, you can object to the use of your address for this purpose at any time without incurring any costs, other than the data transmission costs at your standard rate. A notification in text form is sufficient for this purpose. Of course, every e-mail always includes an unsubscribe link.
5. Who receives my data?
Even if we use a service provider in the context of order processing, we remain the party responsible for protecting your data. All contractors are contractually obliged to handle your data confidentially and process it only within the scope required for the provision of services. The contractors we commission will receive your data if required to perform their respective services. These include, for example, IT service providers that we need to operate and safeguard our IT system, as well as advertising and address publishers for our own advertising campaigns.
Your data will be processed in our customer database. The customer database supports efforts to improve the data quality of existing customer data (duplicate clean-up, moved/dead indicators, address correction), and to facilitate adding data from public sources.
This data is made available to the group companies insofar as this is necessary for the processing of the contract. Customer data is stored separately for each company, with our parent company acting as a service provider for the individual participating companies.
If there is a legal obligation and in the context of legal proceedings, authorities and courts as well as external auditors may also receive your data.
In addition, insurance companies, banks, credit agencies and service providers may also receive your data for the purpose of entering into and fulfilling contracts.
6. How long will my data be saved?
We process your data until the end of the business relationship or until the expiry of the applicable statutory retention periods (such as laid down in the German Commercial Code, the German Fiscal Code or the German Working Hours Act); furthermore, until the end of any legal disputes in which the data is required as evidence.
7. Is personal data transferred to a third country?
We do not transfer any data to a third country as a matter of principle. In individual cases, data is transferred to third countries, however only on the basis of an adequacy decision of the European Commission, standard contractual clauses, suitable guarantees or your express consent.
8. What data protection rights do I have?
You have the right of access to information, or the rectification, erasure or restriction of the processing of your stored data, a right to object to the processing of data, as well as to the transfer of the relevant data, and to file a complaint in accordance with the requirements of data protection legislation.
Right of access:
You can request information from us concerning whether and to what extent we process your data.
Right to rectification:
If we process incorrect or incomplete data of yours, you have the right to obtain from us the rectification or completion of inaccurate personal data at any time.
Right to erasure (‘right to be forgotten’):
You can request that we delete your data if we process it unlawfully or if the processing interferes disproportionately with your legitimate protection interests. Please note that there may be reasons that prevent immediate deletion, if legally required storage obligations are imposed, for example. Irrespective of whether or not you exercise your right to erasure, we will delete your data immediately and completely, provided this is not precluded by any legal transaction or legal retention period to the contrary.
Right to restriction of processing:
You may request that we restrict the processing of your data if:
– you contest the accuracy of the data for a period of time that allows us to verify the accuracy of the data;
– the processing of the data is unlawful, but you oppose the erasure of personal data and request the restriction of their use instead;
– we no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims; or
– you have objected to the processing of the data.
Right to data portability:
You may request from us that you receive the data you have provided to us in a structured, commonly used and machine-readable format, and that you can transmit this data to another controller without being prevented by us to do so, provided that we process this data on the basis of consent given by you, which may be revoked, or for the performance of a contract between us, and this data processing is carried out with the aid of automated processes. If technically feasible, you can ask that we transmit your data directly to another data controller.
Right to object:
If we process your data for legitimate reasons, you can object to this data processing at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. We will then refrain from any further processing of your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. You can object to the processing of your data for the purpose of direct marketing at any time without giving reasons.
Right to lodge a complaint:
If you believe that we are violating German or European data protection law when processing your data, please contact us to clarify any questions. Of course, you are also entitled to contact the supervisory authority responsible for you, which is the Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision).
If you wish to assert any of the above rights against us, please contact our data protection officer. In case of any doubt, we may request additional information to confirm your identity.
9. Am I obliged to provide data?
The processing of your data is necessary to conclude or fulfil your contract with us. If you do not provide us with this information, we will usually have to decline the conclusion of the contract or execution of the order or will no longer be able to execute an existing contract, which will consequently have to be terminated. However, you are not obliged to give your consent to the processing of data that is not relevant or legally required for the fulfilment of the contract.
Information on data protection in applicant management in accordance with Art. 13 GDPR.
Personal data is collected from you within the context of the employment relationship. Due to the new regulations in the General Data Protection Regulation (GDPR), we are therefore obliged to inform you in accordance with Art. 13 seq. GDPR about the following:
- Your employer is responsible for collecting and processing your data:
Alte Weilheimer Str 2-4
- The contact details of our data protection officer are:
Projekt 29 GmbH & Co. KG
Telephone: +49 (0)941 2986930
Telefax: +49 (0)941 29869316
- Your data will be collected and processed as part of the recruitment process or the employment relationship.
- The data required includes in particular your master data (above all your first name and surname, name affixes, nationality), your contact data (in particular your private address, mobile and landline number, e-mail address), other data pertaining to the employment relationship, such as time recording data, holiday periods, periods of incapacity to work, skill data, social data, bank details, national insurance number, pension insurance number, salary data, tax identification number, special health data and, if applicable, previous convictions) as well as log data that is recorded during the use of the IT systems.
- Your personal data is mainly collected directly from you. However, due to legal regulations, your data will also be collected in part from other offices, such as the tax office for the non-routine query of tax-relevant information, the health insurance company for information on periods of incapacity for work or, if applicable, from other third parties, such as an employment agency or from publicly accessible sources (for instance, professional networks).
- Within our company, your personal data is only provided to those persons who need the data to fulfil our contractual and legal obligations, such as the human resources department, the accounting department or the relevant specialist department.
- If we use service providers – external IT service providers, waste disposal companies, etc. – to fulfil our contractual and legal obligations, they also receive the necessary data from us.
- Outside our company, we transmit your data to further recipients insofar as this is necessary for the fulfilment of our contractual and legal obligations. These are, in particular, the social insurance institutions, the health insurance fund, the pension insurance fund, occupational benefit schemes, the employment agency, the employers’ liability insurance association, tax authorities, accident and liability insurers, courts, banks, competent bodies in order to be able to guarantee claims from the company pension scheme or capital-forming benefits, third-party debtors in the case of wage and salary attachment, or insolvency administrators in the case of personal insolvency.
- Your data will not be transmitted to a third country.
- We process your personal data in compliance with all applicable laws, such as the German Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Works Council Constitution Act (Betriebsverfassungsgesetz), the German Working Hours Act (Arbeitszeitgesetz), etc..
The primary purpose of data processing is the establishment, implementation and termination of the employment relationship. The relevant legal basis for this is Art. 6 (1) (b) GDPR in conjunction with Section 26 (1) BDSG. In addition, for data privacy-related permission, use may be made of provisions, such as laid down in collective agreements (general and company agreements as well as collective bargaining agreements) pursuant to Art. 6 (1) b) in conjunction with Art. 88 (1) GDPR, Section 26 (4) BDSG, and, if applicable, your separate consents pursuant to Art. 6 (1) (a), (7) GDPR in conjunction with Section 26 (2) BDSG (e.g. in the case of video recordings).
We also process your data in order to be able to fulfil our legal obligations as an employer, in particular in the area of tax and social security law. This is done on the basis of Art. 6 (1) (c) GDPR in conjunction with Section 26 BDSG.
Where necessary, we also process your data on the basis of Art. 6 (1) (f) GDPR in order to protect our legitimate interests or those of third parties (e.g. authorities). This applies in particular to the investigation of criminal offences (legal basis Section 26 (1) sentence 2 BDSG) or for internal communication and other administrative purposes.
Insofar as special categories of personal data are processed pursuant to Art. 9 (1) GDPR, this serves the exercising of rights or the fulfilment of legal obligations from labour law, social security law and social protection within the framework of the employment relationship (e.g. disclosure of health data to the health insurance fund, recording of severe disability due to additional leave and determination of the surcharge for non-employment of disabled persons). This is based on Art. 9 (2) (b) GDPR in conjunction with Section 26 (3) BDSG. In addition, the processing of health data may be necessary for the assessment of your working capacity pursuant to Art. 9 (2) (h) in conjunction with Art. 22 (1) (b) BDSG.
Furthermore, the processing of special categories of personal data may be based on consent pursuant to Art. 9 (2) (a) GDPR in conjunction with Section 26 (2) BDSG (e.g. occupational health management).
Should we intend to process your personal data for a purpose not mentioned above, we will inform you in advance.
- If your job application is rejected, the data you submitted will be deleted six months after you have been informed about the rejection. This does not apply if the data must be stored for a longer period of time due to legal requirements (for example, the burden of proof under the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz)), or if you have expressly consented to longer storage in our database of interested parties.
- The storage period of the collected data is limited to the employment relationship. We will delete your personal data as soon as it is no longer required for the above-mentioned purposes. After termination of the employment relationship, the data will be stored and then deleted in accordance with the statutory or official retention periods, which arise, among other things, from the German Commercial Code and the German Fiscal Code. Accordingly, the data retention periods are up to ten years. In addition, personal data may be retained for the statutory limitation period of three years or up to 30 years if claims can be asserted against us.
- You have the right of access to information from the employer regarding the data stored about you. Under certain conditions, you can request the rectification or erasure of your data. You may also have the right to restriction of the processing of your data and a right to receive the data you have provided in a structured, commonly used and machine-readable format.
Right to object:
You also have the right to object to the processing of your personal data for direct marketing purposes without stating any reason. If we process your data to protect legitimate interests, you may object to this processing on grounds relating to your particular situation. We will then refrain from any further processing of your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
- You have the right to lodge a complaint regarding the handling of your personal data with the above-mentioned data protection officer or the data protection supervisory authority. The supervisory authority responsible for you is:
Bayerisches Landesamt für Datenschutzaufsicht
Telephone: +49 (0)981 53 1300
Telefax: +49 (0)981 53 98 1300
- The provision of personal data is necessary for the establishment, implementation and termination of the employment relationship and constitutes a secondary contractual obligation of the employee. If we do not receive the required data, it will not be possible to establish any employment relationship with you.
Data protection information for on-line meetings, telephone conferences and webinars of PACKSYS GmbH via Microsoft Teams
In the following section, we would like to inform you about the processing of personal data in connection with the use of Microsoft Teams.
Purpose of data processing
We use the tool Microsoft Teams to conduct telephone conferences, on-line meetings, video conferences and/or webinars (hereinafter referred to as on-line meetings). Microsoft Teams is a service of Microsoft Corporation.
The data controller for data processing directly related to the organising of on-line meetings is
Alte Weilheimer Str. 2-4
D-82340 Feldafing, OT Wieling
Please note: Insofar as you access the Microsoft Teams website, the Microsoft Teams provider is responsible for data processing. However, access to the website is only necessary in order to download the software for the use of Microsoft Teams.
If you do not want to or cannot use the Microsoft Teams app, you can also use your browser to open Microsoft Teams. The service will then also be provided via the Microsoft Teams website.
What data is processed?
When using Microsoft Teams, different types of data are processed. The scope of the data also depends on the data you provide before or during participation in an on-line meeting.
The following personal data is subject to processing:
User details: for example, display name, e-mail address if applicable, profile picture (optional), preferred language
Meeting metadata: for example, date, time, meeting ID, phone numbers, location
Text, audio and video data: You may have the opportunity to use the chat function in an on-line meeting. In this respect, the text entries you make will be processed in order to display them in the on-line meeting. To facilitate the display of video and the playback of audio, data from your terminal’s microphone and any terminal video camera will be processed accordingly for the duration of the meeting. You can switch off the camera or mute the microphone yourself at any time through the Microsoft Teams apps.
Scope of the processing
We use Microsoft Teams to conduct on-line meetings. If we intend to record on-line meetings, we will transparently communicate this to you in advance and – where necessary – ask for your consent.
If it is necessary for the purposes of logging the results of an on-line meeting, we will record the chat content. However, this will generally not be the case.
Automated decision-making within the meaning of Art. 22 GDPR is not used.
Legal basis for data processing
Insofar as personal data is processed by employees of PACKSYS GmbH, section 26 BDSG constitutes the legal basis for data processing. If, in connection with the use of Microsoft Teams, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of Microsoft Teams, Art. 6 (1) (f) GDPR constitutes the legal basis for the data processing. In any such cases, we are interested in the efficient organisation of on-line meetings.
Furthermore, the legal basis for data processing when conducting on-line meetings is Art. 6 (1) (b) GDPR, insofar as the meetings are organised in the context of contractual relationships (for example, business relationships, customer care).
If there is no contractual relationship, the legal basis is Art. 6 (1) (f) GDPR. Here, too, we are interested in the efficient organisation of on-line meetings.
Recipients / transmission of data
Personal data processed in connection with participation in on-line meetings will not be shared with any third parties as a matter of principle, unless said data is specifically intended to be shared. Please note: as is the case with face-to-face meetings, on-line meeting content is often designed precisely to communicate information to customers, prospective customers or third parties, and is therefore intended to be shared.
Other recipients: The provider of Microsoft Teams necessarily obtains knowledge of the above-mentioned data insofar as this is provided for in the context of our order processing agreement with Microsoft Teams.
Data processing outside the European Union
Data is not processed outside the European Union (EU) as a matter of principle since we have restricted data storage to data centres in the European Union. However, we cannot rule out that data is routed via internet servers that are located outside the EU. This may apply in particular if participants in on-line meetings are located in a third country.
However, the data is encrypted during transport over the internet and is thus protected from unauthorised access by any third parties.
Data protection officer
We have appointed a data protection officer.
These are his contact details:
Projekt 29 GmbH & Co. KG
Telephone: +49 (0)941 2986930
Your rights as a data subject
You have the right of access to the personal data concerning you. Please do not hesitate to contact us for information at any time.
Please understand that we may ask you for proof of your identity if a request for information is not made in writing.
Furthermore, you have the right to rectification or erasure or to restriction of processing to the extent that you are entitled to assert said rights by law.
Finally, you have the right to object to processing within the framework of the legal requirements.
The data protection law also provides for the right to data portability.
Erasure of data
We generally delete personal data when there is no need for further storage. Further data storage may be required in particular if the data is still needed in order to fulfil contractual services, to be able to check and grant or ward off warranty and, if applicable, warranty claims. In the case of statutory retention obligations, the erasure of data may only be considered upon expiry of the respective retention period.
Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint about our processing of personal data with a data protection supervisory authority.
Amendment of this data protection notice
We revise this data protection notice in the event of changes in data processing or on other occasions that require an amendment. Please always refer to this website for the currently valid version of the data protection notice.
Last amended on: 6 May 2021