Hamburg Lloyd

impressum

Data protection statement according to the GDPR

I.       Name and address of the responsible person

The responsible legal person, in the sense of the General Data Protection Regulation and other national data protection rules of the member states as well as other data protection regulations, is:

RHL Reederei Hamburger Lloyd GmbH & CO KG

Brooktorkai 20

20457 Hamburg

Germany

Tel. : +49 (0) 40 380 881 - 300

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: www.hamburger-lloyd.de

II.      Name and address of Data Protection Officer

Data Protection Officer on behalf of the responsible person is:

Thilo Noack

SharedIT Professional GmbH & Co. KG

Saebystr. 17a

24576 Bad Bramstedt

Germany

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

III.    General information on data processing

1.      Scope of personal data processing

We generally only process personal user data insofar as this is necessary to provide a functioning website as well as our content and services. Personal user data is only processed with the user's consent. An exception are those cases where prior consent cannot be obtained for practical reasons, and where data processing is permitted by law.

2.    Legal basis for personal data processing

Insofar as we obtain the consent from the affected person for the processing of his or her personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) is to serve as the legal basis.

When processing personal data required for the performance of a contract to which the affected person is a party, Art. 6 para. 1 lit. b GDPR is to serve as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR is to serve as the legal basis.

In the event that the vital interests of the affected person or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR is to serve as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party, and if the interests, fundamental rights and freedoms of the affected person do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR is to serve as the legal basis for the processing.

3.    Deletion of data and duration of storage

The personal data of the affected person will be deleted or blocked as soon as the reason for the storage no longer applies. Furthermore, data can be stored if this was laid down by the European or national legislator in EU regulations, laws, or other provisions to which the responsible person is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned regulations expires, unless there is a need for further data storage for the conclusion or fulfilment of a contract.

IV.     Provision of website and creation of log files

1.    Description and scope of data processing

Every time our website is called up, our system automatically records data and information. The following data is collected:

The access logs of the web servers record which page views have taken place at what time. They contain the following data: IP, directory protection user, date, time, accessed pages, protocols, status code, data volume, referrer, user agent, accessed host name.

The IP addresses are stored anonymously for 60 days.

The error logs of the web servers record incorrect page views. The accessing IP address and, depending on the error, the accessed website are stored in addition to the error alerts. Error logs are deleted after 7 days.

The mail logs for sending emails from the web environment are rendered anonymous after one day and then kept for 60 days. Anonymization removes all sender/recipient data, etc. Only data relating to the time of sending and information on how the email was processed are saved. (Queue ID or not sent).

2.    Legal basis for data processing

The legal basis for temporary data processing is Art. 6 para. 1 lit. f GDPR.

3.    Purpose of data processing

Temporary storage of user IP addresses by the system is required to enable the website to be delivered to the users' computers. For this purpose, a user's IP address must remain stored for the duration of the session in question.

The data is stored in log files to ensure the functionality of the website. In addition, the data serves to optimise the website and to ensure the security of our information technology systems. An analysis of the data for marketing purposes does not take place in this context.

Our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR also serves these purposes.

4.    Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collection for the provision of the website, this happens when the respective session has ended.

See also point 1, in which the storage time of log files is explained.

5.    Possibility of objection and removal

Data collection for the provision of the website and the storage of data in log files is absolutely essential for the operation of the website. Consequently, there is no possibility for the user to object.

V.     Use of Cookies

1.    Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the web browser, or by the web browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a unique string of characters that unambiguously identifies the web browser when the website is accessed again.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing web browser can be identified even after a page change.

The Joomla system creates a session cookie with a storage duration of 15 minutes for logging on to the backend.

2.    Legal basis for data processing

The legal basis for personal data processing using cookies is Art. 6 para. 1 lit. f GDPR.

3.    Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For this purpose, it is necessary that web browsers are identified even after page changes.

The user data collected by technically necessary cookies are not used to create user profiles.

Our legitimate interest in personal data processing according to Art. 6 para. 1 lit. f GDPR also serves these purposes.

4.    Duration of storage, possibility of objection and removal

Cookies are stored on the user's computer and transmitted to our site from there. Therefore, you as a user have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to make full use of all its functions.

VI.     Newsletters

1.    Description and scope of data processing

You can subscribe to the free newsletter "The Bridge" on our website. When registering for the newsletter, the following data from the input mask will be transmitted to us:

First name, last name, email address

Registration and distribution of the newsletters is handled by the mail service provider "MailChimp", a newsletter forwarding platform operated by the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The data protection regulations of the mail service provider can be viewed here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement and thus guarantees compliance with the European level of data protection.

(https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).

The mail service provider can use the recipients' data in pseudonymous form, i.e. without assignment to a user, for optimising or improving its own services, e.g. for technical optimisation of the distribution and presentation of newsletters, or for statistical purposes. However, the mail service provider does not use our newsletter recipients’ data to contact them themselves, and the data will not be passed on to third parties.

The registration for our newsletter takes place via a so-called “double opt-in” procedure. This means that an email asking for confirmation of the registration is sent to the user after initial registration. This confirmation is necessary so that nobody can register other people's email addresses. Subscriptions to the newsletter are documented in order to be able to prove that the registration process met the legal requirements. This includes documentation of the time of registration and confirmation, as well as the IP address. Changes to the data stored by the mail service provider are also documented.

The newsletters contain a so-called "web-beacon", i.e. a pixel-sized file which is downloaded from our server or, if we use a mail service provider, from their server, when the newsletter is opened. In the course of this download, technical information, such as information about the browser and your system, as well as your IP address and time of download, are collected.

This technical information (IP address and thus the location of the access, as well as date and time of the access) is used for technical improvement of the services and for statistical purposes. For technical reasons, it is possible to assign this information to individual newsletter recipients. However, it is neither our intention, nor that of the mail service provider, to monitor individual users. We use the evaluations to identify the reading habits of our subscribers.

In the course of the registration process, your consent is obtained before processing your data, and you are referred to this data protection statement.

In connection with data processing for the distribution of newsletters, no data is passed on to third parties. The data is used for the distribution of the newsletter only.

2.      Legal basis for data processing

The legal basis for personal data processing after registration for the newsletter through the user, if the user has given his or her consent, is Art. 6 para. 1 lit. f GDPR.

The distribution of the newsletter, and the performance evaluations relating to it, is based on the recipient’s consent according to Art. 6 para. 1 lit. a GDPR.

The mail service provider is appointed on the basis of our legitimate interests according to Art. 6 para. 1 lit. f GDPR, and on an order processing contract according to Art. 28 para. 3 p. 1 GDPR.

3.      Purpose of data processing

The storage of the user's email address is for the purpose of delivering the "The Bridge" newsletter. The newsletter keeps you informed about current developments at Hamburger Lloyd.

The collection of other personal data as part of the registration process serves to prevent a misuse of the services or the used email address.

4.    Duration of storage

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The user's email address will therefore be stored for as long as the subscription to the newsletter is active.

Any other personal data collected during the registration process will generally be deleted after a period of seven days.

5.    Possibility of objection and removal

The subscription to the newsletter can be cancelled by the respective user at any time. A web link to this effect can be found in every newsletter.

This also makes it possible to revoke the consent to the storage of any personal data collected in the course of the registration process.

We are authorised to store the email addresses that have been unsubscribed for up to three years on the basis of our legitimate interests before we delete them, in order to be able to prove a previously given consent. The processing of these data is strictly limited to the purpose of a possible defence against claims. An individual application for removal is possible at any time, provided that the previous existence of a consent is confirmed at the same time.

VII.  Rights of the affected person

If your personal data are processed you are an affected person under the GDPR, and you have the following rights vis-à-vis the responsible person:

1.      Right of information

You can ask the responsible person to confirm whether your personal data is processed by us.

If such processing has taken place, you can request the following information from the responsible person:

  • the purposes for which the personal data are processed;
  • the categories of personal data that are processed;
  • the recipients and/or categories of recipients to whom your personal data have been or are still being disclosed;
  • the planned storage duration of your personal data or, if specific information on this is not possible, criteria for determining the storage duration;
  • the existence of a right to correction or deletion of your personal data, of a right to restriction of the processing by the responsible person, or of a right to object to such processing;
  • the existence of a right of complaint to a supervisory authority;
  • any available information on the origin of the data, if the personal data are not collected from the affected person;
  • the existence of automated decision-making including profiling, in accordance with Art. 22 para. 1 and 4 GDPR, and – at least in these cases – meaningful information on the logic involved, as well as the scope and intended effects of such processing for the affected person.

You have the right to request information as to whether your personal data are transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees according to Art. 46 GDPR in connection with the transmission.

2.    Right to correction

If your processed personal data are incorrect or incomplete, you have a right to correction and/or completion vis-à-vis the responsible person. The responsible person is to carry out the correction immediately.

3.    Right to restriction of processing

You can request that the processing of your personal data be restricted if one of the following conditions are met:

  • you dispute the accuracy of your personal data over a period of time that enables the responsible person to verify the accuracy of the personal data;
  • the processing is against the law and you refuse the deletion of the personal data and instead demand the restriction of their use;
  • the responsible person no longer needs the personal data for processing purposes, yet you need them for asserting, exercising, or defending legal claims, or
  • you have filed an objection against the processing according to Art. 21 para. 1 GDPR and it is not yet clear whether the justifiable reasons of the responsible person outweigh your own reasons.

If the processing of your personal data has been restricted, these data may only be processed – apart from their storage – with your consent, or in order to assert, exercise or defend legal rights, or to protect the rights of another natural or legal person, or on the basis of an important public interest of the Union or of a member state.

If the processing restriction has been restricted under the above conditions, you will be informed by the responsible person before the restriction is lifted.

4.    Right to deletion

a)     Obligation of deletion

You can request that the responsible person delete your personal data immediately, and the responsible person is under an obligation to delete these data immediately, if one of the following conditions are met:

  • Your personal data are no longer required for the purposes for which they were collected or otherwise processed.
  • You revoke the consent on which the processing was based, in accordance with Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
  • You file an objection against the processing in accordance with Art. 21 para. 1 GDPR and there are no overriding justified reasons for the processing, or you file an objection against the processing in accordance with Art. 21 para. 2 GDPR.
  • Your personal data have been unlawfully processed.
  • The deletion of your personal data is necessary to fulfil a legal obligation under Union law or the law of the member states to which the responsible person is subject.
  • Your personal data have been collected in relation to information society services provided according to Art. 8 para. 1 GDPR.

b)     Information towards third parties

If the responsible person has made your personal data public and is obliged to delete them according to Art. 17 para. 1 GDPR, he shall take the appropriate measures, including technical measures, under consideration of the available technology and the cost of implementation, to inform those responsible for personal data processing that you as the affected person have requested the deletion of all links to this personal data or of copies or replications of this personal data.

c)      Exceptions

The right to deletion does not exist if the processing is necessary

  • for exercising the right to freedom of expression and information;
  • for compliance with a legal obligation that requires such processing under the law of the Union or the member states to which the responsible person is subject, or for the performance of a task in the public interest, or in the exercise of official authority assigned to the responsible person;
  • for reasons of public interest in the field of public health in accordance with Art. 9 para. 2 lit. h and i, and Art. 9 para. 3 GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the law referred to under a) is likely to render impossible, or seriously impair, the attainment of such processing objectives, or
  • to assert, exercise, or defend legal claims.

5.    Right to information

If you have exercised your right vis-à-vis the responsible person to correct, delete, or restrict the processing, the latter is obliged to inform all recipients to whom your personal data have been disclosed of this correction or deletion or restriction, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the responsible person to be informed about these recipients.

6.      Right to data portability

You have the right to receive your personal data, which you made available to the responsible person, in a structured, established, and machine-readable format. In addition, you have the right to pass this data on to another responsible person without obstruction by the responsible person to whom the personal data was made available, provided that

  • the processing is based on consent according to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract according to Art. 6 para. 1 lit. b GDPR, and
  • the processing is carried out using automated procedures.

In exercising this right, you also have the right to ensure that your personal data are transferred directly from one responsible person to the other responsible person, insofar as this is technically feasible. The freedoms and rights of other persons may not be affected by this.

The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest, or in the exercise of official authority assigned to the responsible person.

7.      Right to object

You have the right to object at any time to the processing of your personal data on the basis of Art. 6 para. 1 lit. e or f GDPR, for reasons relating to your particular situation.

The responsible person will no longer process your personal data unless he can prove compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or such processing serves to assert, exercise or defend legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time against the processing of your personal data for such advertising purposes; this also applies to profiling, insofar as it is related to this kind of direct marketing.

If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

You have the possibility – notwithstanding Directive 2002/58/EC – to exercise your right of objection by means of automated procedures in which technical specifications are used.

8.    Right to appeal to a supervisory authority

Without prejudice to any other administrative or legal remedy, you have the right of appeal to a supervisory authority, in particular in the member state of your residence, place of work, or place of suspected infringement, if you believe that the processing of your personal data is in opposition to the GDPR.

The supervisory authority to which the complaint has been filed must inform the plaintiff of the status and results of the complaint, including the possibility of a legal remedy under Article 78 GDPR.