I. NAME AND ADDRESS OF CONTROLLER
The responsible body within the meaning of the General Data Protection Regulation and other national data protection regulations of the member states as well as other data protection provisions is:
RHL Shipping Company Hamburger Lloyd GmbH & CO KG
Tel.: +49 (0) 40 380 881 - 300
II. NAME AND ADDRESS OF DATA PROTECTION OFFICER
Data protection officer on behalf of the controller:
Thilo Noack Shared IT
Professional GmbH & Co. KG
24576 Bad Bramstedt
III. GENERAL INFORMATION
The legislator requires that personal data are processed lawfully, fairly and in a manner that is comprehensible to the data subject ("lawfulness, fair processing, transparency"). To ensure this, we inform you about the individual legal definitions that are also used in this data protection notice
Personal data shall mean any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.
profiling means any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.
Pseudonymisation means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organisational measures which ensure that the personal data cannot be attributed to an identified or identifiable natural person.
File system means any structured collection of personal data that can be accessed according to specific criteria, whether that collection
centrally, decentrally or according to functional or geographical criteria.
Controller means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients and the processing of such data by those authorities shall be carried out in accordance with the applicable data protection rules and in accordance with the purposes of the processing.
Third party means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or the processor.
Consent of the data subject means any freely given, specific and informed indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.
IV. GENERAL INFORMATION ON DATA PROCESSING
Scope of the processing of personal data
As a matter of principle, we process users' personal data only insofar as this is necessary to provide a functional website and our content and services. Personal data is only processed with the consent of the user. An exception to this is when data processing is permitted by law.
Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) applies as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Article 6 (1) (b) of the GDPR serves as the legal basis. This also applies to processing that is necessary for the performance of pre-contractual measures.Insofar as the processing of personal data is necessary for the performance of a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.
Deletion of data and duration of storage
The personal data of the data subject will be deleted or blocked as soon as the reason for storing it has ceased to exist. In addition, data may be stored if this has been provided for by the European or national legislator in regulations, laws or other provisions to which the controller is subject. Data shall also be blocked or deleted if a storage period prescribed by the aforementioned regulations expires, unless the continued storage of the data is necessary for the conclusion or performance of a contract.
V. LAWFULNESS OF PROCESSING
- The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;
- The processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject's request;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
VI. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES
1. Description and scope of data processing
Every time you visit our website, our system automatically collects data and information. The following data is collected:
The access logs of the web servers record which page requests have taken place and when. They contain the following data: IP, directory protection user, date, time, accessed pages, logs, status code, amount of data, referrer, user agent, accessed host name.
The IP addresses are stored anonymously for 60 days.
The error logs of the web servers record erroneous page requests. In addition to the error messages, the accessing IP address and, depending on the error, the accessed website are also saved. The error logs are deleted after 7 days.
The mail logs for sending emails from the web environment are anonymised after one day and then kept for 60 days. During anonymisation, all sender/recipient data etc. is removed. Only data about the time of sending and information about the processing of the e-mail is stored. (Queue ID or not sent).
2. legal basis for the data processing
The legal basis for the temporary data processing is Art. 6 para. 1 lit. f GDPR.
3. purpose of the data processing
The temporary storage of users' IP addresses by the system is necessary for the website to be delivered to users' computers. For this purpose, a user's IP address must remain stored for the duration of the respective session.
The data is stored in log files to ensure the functionality of the website. Furthermore, the data is used to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
Our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR also serves these purposes.
4. duration of the storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collection for the provision of the website, this happens when the respective session has ended.
See also point 1, which explains the storage period of the log files.
5. possibility of objection and removal
The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.
This website uses the CleverReach software to send newsletters. The provider is CleverReach GmbH & Co KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter "CleverReach").
CleverReach is a service with which the sending of newsletters can be organised and evaluated. The data you enter for the purpose of subscribing to our newsletter (e.g. e-mail address) is stored on CleverReach servers in Germany or in Ireland.
The newsletters we send via CleverReach enable us to analyse the usage behaviour of our newsletter recipients. In this context, it can be determined, among other things, how many recipients actually opened the newsletter email and how often which link within the newsletter was clicked. With the help of a tool called Conversion Tracking, we can also determine whether an action indicated in the newsletter actually took place after the link was clicked (e.g. purchase of a product on this website). For more information about CleverReach's newsletter data analysis service, please visit: https://www.cleverreach.com/en/features/reporting-tracking/.
The processing of the data is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time by unsubscribing from the newsletter. The legality of the data processing operations carried out until the revocation remains unaffected.
If you do not want to allow the analysis by CleverReach, you must unsubscribe from the newsletter. We will provide you with a link in each newsletter message with which you can do this.
The data stored with us for the purpose of subscribing to the newsletter will be saved by us until you unsubscribe from the newsletter or the newsletter service provider and deleted from the newsletter distribution list after you unsubscribe from the newsletter. The data stored by us for other purposes remains unaffected by this.
After you have unsubscribed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist in order to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f) GDPR). The storage in the blacklist is indefinite. You can object to the storage if your interest outweighs our legitimate interest.
Conclusion of a commissioned data processing agreement
We have concluded an order data processing agreement with the provider of CleverReach and fully implement the strict requirements of the German data protection authorities when using CleverReach.
On this website, a link of the music service Spotify are integrated for the purpose of interactive, musical design. The provider is Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm in Sweden.
When you visit this website via the plugin, a direct connection can be established between your browser and the Spotify server if the plugin is activated. We have integrated Spotify with a 2-kick solution to protect your data. By activating it, Spotify receives the information that you have visited this website with your IP address. If you click the Spotify button while logged into your Spotify account, you can link the content of this website to your Spotify profile. This enables Spotify to associate your visit to this website with your user account.
We would like to point out that cookies from Google Analytics are used when you use Spotify, so your usage data may also be passed on to Google when you use Spotify. Google Analytics is a tool of the Google Group for analysing user behaviour, based in the USA. In addition, we would like to point out that Spotify also shares data with Facebook and other companies. The information may also be published on social networks and shown to your contacts there.
If you do not want the social networks to assign the data collected via our website directly to your profile in the respective service, you can also completely prevent the loading of the widgets with add-ons for your browser, e.g. with the script blocker "NoScript" (https://noscript.net/)."
If you do not want Spotify to be able to associate your visit to this website with your Spotify user account, please log out of your Spotify user account.
The storage and analysis of the data provided to us by Spotify is based on Art. 6 para. 1 lit. a) GDPR. You can revoke your consent to this at any time.
Spotify is solely responsible for the general data processing when using the Spotify service. We as the website operator have no influence on this processing.
We have integrated a component of the Facebook service on our website, which is a link to our Facebook fan page. We use the technical platform of Meta Platforms Ireland Limited, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland (hereinafter: Facebook) for the information service offered here.
According to the ECJ, there is joint responsibility within the meaning of Art. 26 GDPR between Facebook and the operator of a Facebook fan page for the personal data processed via the Facebook fan page. For this reason, we have concluded a joint responsibility agreement with Facebook.
When you access a Facebook fan page, the IP address of your end device is transmitted to Facebook. According to Facebook, this IP address is anonymized and deleted after 90 days, at least as far as it is a German IP address. In addition, Facebook stores further information about the end devices of its users, e.g. the Internet browser used. If necessary, Facebook is thus able to assign IP addresses to individual users. If you are logged into your Facebook account while visiting our fan page, a cookie with your Facebook ID is stored on your end device. Based on this cookie, Facebook can track that you have visited our fan page and how you have used it. Facebook uses this information to present you with content or advertising tailored to you. If you do not want this, you should log out of your Facebook account or deactivate the "stay logged in" function. We also recommend that you delete the cookies present on your device and exit and restart your browser. This process deletes Facebook information that Facebook can use to establish a link to you. However, if you want to use the interactive functions of our fan page, you would have to log in to Facebook again with your Facebook login information. This also enables Facebook to establish a link to you again. In what way Facebook uses the data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page is passed on to third parties, is not conclusively and clearly stated by Facebook and is not known to us. In this respect, we can only refer you as a user of our fan page to Facebook's statements on data protection. The data collected about you in this context will be processed by Facebook and, if necessary, transferred to countries outside the European Union.
Facebook describes in general terms what information it receives and how it is used in its data usage guidelines. There you will also find information on how to contact Facebook and on the settings options for advertisements. The data usage guidelines are available at the following link: http://de-de.facebook.com/about/privacy. Opt-out options can be set here: https://www.facebook.com/settings?tab=ads and here http://www.youronlinechoices.com.
The transmission and further processing of users' personal data to third countries, such as the USA, as well as the associated possible risks for you as a user cannot be assessed by us as the operator of the Facebook fan page.
This website has integrated a link from Apple iTunes Podcasts to provide you with auditory information about our company through podcasts.
We maintain our own company page on LinkedIn. This is used to actively address potential employees in a professional environment in a timely manner. On this page we also share information about our company and use the portal to present ourselves to the outside world.
Together with LinkedIn, we are responsible for the operation of the site and thus bear a so-called "joint responsibility" towards the user. We have concluded a corresponding agreement with LinkedIn. This regulates the respective responsibilities for the fulfilment of the obligations according to Art. 26 GDPR.
Podcast via Apple iTunes
This website uses Apple iTunes Podcasts to provide you with audio information about our company through podcasts.
The provider of these services is Apple Inc, 1 Infinite Loop, Cupertino, CA 95014, USA ("Apple iTunes Podcasts"). When using Apple iTunes Podcasts, data is transferred to the USA, which is considered a third country with an insecure level of data protection under the GDPR. The data may include the addresses of the websites visited that also contain Apple iTunes Podcasts features, browser information, date and time of the connection. We have no knowledge of the content of the data transmitted, how it is used or how long it is stored by Apple iTunes Podcasts.
VIII. DATA PROTECTION INFORMATION FOR APPLICANTS LAND AND SEA
We are pleased that you are interested in us and that you are applying or have applied for a position in our company. In the following, we would like to inform you about the processing of your personal data in connection with the application.
Which of your data do we process? And for what purposes?
We process the data you have provided to us in connection with your application in order to assess your suitability for the position (or other vacancies in our company, if applicable) and to carry out the application process
On what legal basis is this based?
The legal basis for processing your personal data in this application procedure is primarily Section 26 of the german BDSG. According to this, the processing of data required in connection with the decision on the establishment of an employment relationship is permissible.
Should the data be required for legal prosecution after completion of the application procedure, the data processing may be based on the requirements of Art. 6 GDPR, in particular for the protection of legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our interest then consists in the assertion or defence of claims.
How long will the data be stored?
Applicants' data will be deleted after 6 months in the event of rejection.
If you have agreed to further storage of your personal data, we will pass your data on to our applicant pool. There, the data will be deleted after two years.
If you have been offered a job as part of the application process, the data will be transferred from the applicant data system to our personnel information system.
To which recipients is the data passed on?
Your application data will be checked by the HR department after receipt of your application. Suitable applications will then be forwarded internally to the department heads for the respective vacancy. The further procedure will then be coordinated. In principle, only those persons in the company have access to your data who need it for the proper course of our application procedure.
Where is the data processed?
The data is processed exclusively in data centers in the Federal Republic of Germany.
IX. DURATION OF PROCESSING
We will only process your data for as long as is necessary to fulfil our contract or applicable legal requirements and to maintain our relationship with you. We will inform you about the specific storage period of the data in the context of the respective description of the individual data processing. If you do not find a concrete indication of the storage period there, then it is not possible for us to name such a period because it depends on various individual factors (e.g. the term of the contract, assertion of claims, etc.). In these cases, we base the duration of storage on the principle of data minimisation and proportionality.
Business documents are stored for a maximum of 6 and 10 years in accordance with the provisions of the German Commercial Code and the German Fiscal Code.
As long as you do not object or revoke your consent, we will use your data to maintain and intensify our trusting business relationship for our mutual benefit.
If you wish your data to be deleted, we will delete your data immediately, provided that there are no legal obligations to retain the data.
Our offer is basically aimed at adults. Persons under the age of 18 should not transmit any personal data to us without the consent of their parents or legal guardians.
XI. RIGHTS OF THE DATA SUBJECT
If your personal data is processed, you are a data subject within the meaning of the General Data Protection Regulation and have the following rights against the controller:
1. Right to information
You may request confirmation from the controller as to whether your personal data is being processed by us.
If such processing has taken place, you may request the following information from the controller:
- the purposes for which the personal data are processed;
- the categories of personal data that are processed;
- the recipients and/or categories of recipients to whom your personal data have been or will be disclosed;
- the intended duration of the storage of your personal data or, if a concrete specification is not possible, criteria for determining the storage duration;
- the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the controller or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- any available information on the origin of the data if the personal data have not been collected from the data subject;
- the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information on whether your personal data are transferred to a third country or to an international organisation. In this context, you may request to be informed about the adequate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
2. Right to rectification and completion
You have the right to require us to rectify without delay any inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to request that incomplete personal data be completed, including by means of a supplementary declaration.
3. Right to restriction of processing
You can request that the processing of your personal data is restricted if one of the following conditions is met:
- You contest the accuracy of your personal data for a period of time which enables the controller to verify the accuracy of the personal data;
- the processing violates the law and you refuse the erasure of the personal data and instead request the restriction of its use;
- the controller no longer needs the personal data for the purposes of processing, but you need them for the assertion, exercise or defence of legal claims, or
- You have objected to the processing pursuant to Art. 21(1) GDPR and it is not yet clear whether the legitimate grounds of the controller override your own grounds.
Where the processing of your personal data has been restricted, those data may - apart from being stored - only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or on the basis of an important public interest of the Union or a Member State.
If the processing has been restricted under the above conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Obligation to delete
You may request the controller to erase your personal data without delay and the controller is obliged to erase such data without delay if one of the following conditions is met:
- Your personal data is no longer needed for the purposes for which it was collected or otherwise processed.
- You revoke the consent on which the processing is based pursuant to Art. 6 (1) a) or Art. 9 (1) a) GDPR and there is no other legal basis for the processing.
- You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
- Your personal data have been processed unlawfully.
The erasure of your personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
- Your personal data has been collected in relation to information society services that comply with the provisions of Art. 8(1) GDPR.
b) Information to third parties
If the controller has published your personal data and is obliged to do so pursuant to Article 17(1) of the GDPR, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform other data controllers that you, as the data subject, have requested the erasure of all links to, or copies or replications of, such personal data.
The right to erasure does not exist if the processing is necessary in order to
- for the exercise of the right to freedom of expression and information;
- for compliance with a legal obligation to which that processing is subject under Union law or the law of the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health pursuant to Art. 9 (2) h ) and i), as well as Art. 9 (3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, where the law referred to in a) could render impossible or seriously prejudice the achievement of those processing purposes, or
- for the assertion, exercise or defence of legal claims.
5. Right to information
If you have exercised your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification, erasure or restriction to all recipients to whom your personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by the controller.
6. Right to data portability
You have the right to receive your personal data provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without the controller to whom the personal data have been provided preventing you from doing so, provided that
- the processing is based on consent pursuant to Article 6 (1) (a) of the GDPR or Article 9 (2) (a) of the GDPR or on a contract pursuant to Article 6 (1) (b) of the GDPR, and
- the processing is carried out with the aid of automated procedures.
When exercising this right, you also have the right to have your personal data transferred directly from one controller to the other controller where this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right of appeal
You have the right to object at any time to the processing of your personal data on the basis of Art. 6 para.
1 lit. e or f GDPR for reasons relating to your particular situation.
The controller will no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If your personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the possibility - notwithstanding Directive 2002/58/EC - to exercise your right to object by means of automated procedures using technical specifications.
8. Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint has been lodged must inform the complainant of the status and outcome of the complaint, including the possibility of a remedy under Article 78 GDPR.
9. Right to an effective remedy
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR, you have the right to an effective judicial remedy if you consider that your rights under this Regulation have been infringed as a result of processing of your personal data which does not comply with this Regulation.
10. Right of revocation
If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
XII. LEGAL EFFECT
If sections or individual terms of this statement are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact.