PRIVACY STATEMENT

Name and address of the controller

The controller in the sense of the General Data Protection Regulation (GDPR), of the data protection regulations holding good in the member states of European Union and of other regulations with a legal data-protecting character is:

Name and address of the data protection officer

The external data protection officer of the controller is:

Each data subject can turn at any time directly to our data protection officer with all questions and suggestions on data protection.

Definitions

The data protection information of INNOCEAN Worldwide Europe GmbH is based on the definitions which have been used by the European directive and order issuing office in formulating the General Data Protection Regulation (GDPR). The data protection information of INNOCEAN Worldwide Europe GmbH should be easily read and understood not only by the general public but also by our customers and business partners. In order to ensure this, we would like to clarify in advance the definitions used.

In this data protection information and on our website, we use – amongst others – the following terms:

Personal data

Personal data is any information relating to an identified or identifiable natural person (hereafter "data subject"). Defined as identifiable is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Processing means any operation or set of operations which is carried out in connection with personal data – whether or not by automated means – such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restricting of the processing

Restricting of the processing is the marking of personal data as stored with the objective of restricting its processing in the future.

Profiling

Profiling is each type of the automated processing of personal data, which consists of this personal data being used to permit particular personal aspects relating to a particular natural person, and here in particular aspects in respect of work performance, economic situation, health, personal likes, interests, reliability, behaviour, place of residence or change of place of residence of this natural person to be evaluated, analysed or forecast.

Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, in so far as this additional information is kept in a special way and subjected to technical and organizational measures which ensure that the personal data cannot be assigned to an identified or identifiable natural person.

Controller or party responsible for the processing

Controller or party responsible for the processing (hereafter controller) is the natural person or legal entity, authority, institution, or other post, which alone or together with others decides on the purposes and means of the processing of personal data. If the purposes and means of the processing are laid down in European Union legislation or the legislation of the member states, then the controller or the particular criteria of the appointment of this controller in accordance with European Union legislation or the legislation of the member states can be provided.

Processor

Processor is a natural person or legal entity, authority, institution, or other post, which processes the personal data on the instructions of the controller.

Recipient

Recipient is a natural person or legal entity, authority, institution, or other post to which personal data are disclosed regardless of whether this is a third party or not. However, authorities, which receive within the framework of a particular investigation order in accordance with European Union legislation or the legislation of the member states data which possibly may be/contain personal data, do not hold good as recipients.

Third party

Third party is a natural person or legal entity, authority, institution or other post with the exception of the data subject, the controller, the order processor and those persons who are authorized under the direct responsibility of the controller or of the order processor to process the personal data.

Consent

Consent is each declaration of will given voluntarily by the data subject for the definite case in an informed and unambiguous manner in the form of a declaration or other unambiguous confirmatory action, with which the data subject makes clear that he/she agrees to the processing of personal data relating to himself/herself.

General information on data processing; legal basis, purposes of processing, duration of storage, objection, and possibility of erasure

General information on the legal basis

Where we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

Art. 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

Art. 6 para. 1 lit. d GDPR serves as a legal basis in the event that vital interests of the data subject or another natural person necessitate the processing of personal data.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

General information on data erasure and storage duration

Where we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

General information on processing on our website

Data protection, data security and secrecy protection have high priority for INNOCEAN Worldwide Europe GmbH. The permanent protection of your personal data, your company data and your trade secrets is particularly important to us.

In principle, you can visit our website without providing any personal information. However, if you make use of the services of our company via our website, this requires the disclosure of your personal data. In general, we use the data communicated by you and collected by the website and the data stored during use exclusively for our own purposes, namely for the implementation and provision of our website and for the initiation, implementation and processing of the services offered via the website (contract performance) and do not pass these on to outside third parties, unless there is an officially ordered obligation to do so. In all other cases, we will obtain your separate consent.

Your personal data will be processed in accordance with the requirements of the General Data Protection Regulation and in accordance with the country-specific data protection regulations applicable to INNOCEAN Worldwide Europe GmbH. By means of this data protection note, we would like to inform you about the type, scope and purpose of the personal data processed by us. In addition, we will inform you of your rights by means of this data protection information.

INNOCEAN Worldwide Europe GmbH has implemented technical and organizational measures to ensure adequate protection of personal data processed via this website. Nevertheless, Internet-based data transmissions can in principle have security gaps, so that absolute protection cannot be guaranteed.

Collection of general data and information

The website of INNOCEAN Worldwide Europe GmbH (hereinafter referred to as IWE) collects a series of general data and information each time a data subject or an automated system accesses the website. This general data and information are stored in the log files of the server. The (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-sites which are accessed via an accessing system on our website can be recorded, (5) the date and time of an access to the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information which serve to avert danger in the event of attacks on our information technology systems.

When using this general data and information, IWE does not draw any conclusions about the data subject. Rather, this information is required to (1) correctly deliver the content of our website, (2) optimize the content and advertising of our website, (3) ensure the long-term functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information they need to prosecute a cyber-attack. This anonymous data and information are therefore evaluated by IWE both statistically and with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimum level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by the data subject.

Legal basis

Art. 6 para. 1 lit. f GDPR

(legitimate interest)

Storage purpose

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session.

Storage duration

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data to provide the website, this is the case when the session in question has ended.

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data to provide the website, this is the case when the session in question has ended.

Objection / possibility of disposal

No, as necessary for operation of the website

Cookies

Google Analytics

We have integrated the Google Analytics component (with anonymisation function) on this website. The operating company of the Google Analytics component is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google Analytics is a web analysis service. Web analysis is the collection, storage and analysis of data about the behaviour of website visitors. The purpose of the Google Analytics component is to analyse the traffic of visitors to our website. Google uses the data and information obtained to, among other things, evaluate the use of our website, to compile online reports for us showing the activities on our website and to provide other services related to the use of our website.

Google Analytics sets a cookie on the information technology system of the data subject. Setting the cookie enables Google to analyse the use of our website. Each time one of the individual pages of this website operated by us and on which a Google Analytics component has been integrated is called up, the internet browser on the information technology system of the data subject is automatically caused by the respective Google Analytics component to transfer data to Google for the purpose of online analysis. As part of this technical process, Google obtains knowledge of personal data, such as the IP address of the data subject, which Google uses, among other things, to track the origin of visitors and clicks and subsequently to enable commission settlements.

By means of the cookie, personal information, for example the access time, the location from which an access originated and the frequency of visits to our website by the data subject, is stored. Each time the data subject visits our website, this personal data, including the IP address of the internet connection used by the data subject, is transferred to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may share this personal data collected via the technical process with third parties.

We use the addition "_gat._anonymizeIp" for web analysis via Google Analytics. This means that the IP address of the internet connection of the data subject is shortened and anonymised by Google if access to our website is from a member state of the European Union or from another state party to the Agreement on the European Economic Area.

Google Tag Manager

Your rights

If personal data is processed by you, you are the data subject within the meaning of the GDPR and you are entitled to the following rights towards the data controller:

Right of access

You can obtain confirmation from the data controller as to whether or not personal data concerning you will be processed by us. 

In the event of such processing, you may request the following information from the data controller:

You have the right to request information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.

Right to rectification

You have the right to have your personal data rectified and/or completed by the data controller if the personal data processed concerning you is inaccurate or incomplete. The data controller must carry out the rectification immediately.

Right to restriction of processing

Under the following conditions, you may request that the processing of your personal data be restricted:

  1. if you dispute the accuracy of the personal data concerning you for a period which enables the person responsible to verify the accuracy of the personal data; 
  2. the processing is unlawful, and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
  3. the controller no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defence of legal claims, or 
  4. if you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been established whether the legitimate reasons of the data controller outweigh your reasons.

Where the processing of personal data concerning you has been restricted, such data may not be processed, with the exception of their storage, without your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or for reasons of an important public interest of the Union or of a Member State.

If the processing restriction has been limited in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

Right to erasure

Obligation to erase personal data

You may request the data controller to delete the personal data concerning you immediately and the data controller is obliged to delete this data immediately if one of the following reasons applies:

  1. The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You withdraw your consent on which the processing pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR was based and there is no other legal basis for the processing.
  3. You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing or you object to the processing pursuant to Art. 21 para. 2 GDPR. 
  4. The personal data have been processed unlawfully.
  5. The erasure of your personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
  6. The personal data relating to you have been collected in relation to information society services offered pursuant to Article 8(1) GDPR.

Information to third parties

If the data controller has made the personal data concerning you public and is obliged to delete them in accordance with Art. 17 para. 1 GDPR, he shall take appropriate measures, also of a technical nature, taking into account the available technology and the implementation costs, to inform the data controllers who process the personal data that you as the data subject have requested them to delete all links to this personal data or copies or replications of this personal data.

Exceptions

The right to erasure does not apply if the processing is necessary

  1. for exercising the right of freedom of expression and information; 
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; 
  3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or 
  5. for the establishment, exercise or defence of legal claims.

Furthermore, the right to erasure does not apply if the personal data must be stored by the controller due to legal storage obligations and periods. In such a case, the personal data will be blocked instead of deleted.

Notification obligation

If you have exercised your right to rectify, erase or limit the processing of your personal data against the controller, the latter is obliged to notify all recipients to whom the personal data concerning you have been disclosed of such rectification, erasure or limitation, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed of such recipients by the data controller.

Right to data portability

You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable and interoperable format. In addition, you have the right to communicate this data to another controller without being hindered by the controller to whom the personal data was provided, provided that

  1. the processing is based on a consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to request that the personal data be transferred directly from one controller to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.

The data controller will no longer process the personal data concerning you unless he can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

You have the possibility to exercise your right of objection through automated procedures using technical specifications in connection with the use of Information Society services, notwithstanding Directive 2002/58/EC.

Right to revoke the data protection declaration of consent

You have the right to revoke your declaration of consent under data protection law at any time and without stating reasons. In the event of revocation, we will immediately delete your personal data and no longer process it.  The revocation of your consent does not affect the legality of the processing carried out on the basis of your consent until you revoke your consent.

Automated individual decision-making, including profiling

You have the right not to be subject to any decision based solely on automated processing, including profiling, that has any legal effect on you or similarly significantly affects you. This does not apply if the decision

  1. is necessary for the conclusion or performance of a contract between you and the controller, 
  2. is authorised by legislation of the Union or of the Member States to which the controller is subject and contains appropriate measures to safeguard your rights and freedoms and your legitimate interests; or 
  3. with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.

In the cases referred to in (1) and (3), the controller shall take reasonable steps to safeguard the rights and freedoms and your legitimate interests, including at least the right of the controller to obtain the intervention of a person, to present his or her point of view and to contest the decision.

Right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of presumed infringement, if you consider that the processing of your personal data is in breach of the GDPR.

The supervisory authority with which the complaint was lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

CONTACT

Leticia Rial
Director, Corporate Strategy & Business Planning
l.rial.ungaro@innocean.eu