Information Obligations

Information required by Art. 13 GDPR

Identity and contact details of the data controller (Art. 13, Para. 1 (a) GDPR)

STARFACE GmbH
Adlerstraße 61
76137 Karlsruhe
Germany
Email: info@starface.com

Identity and contact details of the data protection officer (Art. 1, Para 1 (b) GDPR)

ENSECUR GmbH
Kaiserstr. 86
76133 Karlsruhe
Personally responsible: Thorsten Jordan
Email: dsb-starface@ensecur.de

If the company captures and processes information related to the following, it is required to disclose the purposes for which their data are processed and the legal grounds for doing so:

 

 

 

Obligation to provide information to interested parties and customers

Purpose of and legal basis for data processing (Art. 13, Para. 1 (c) GDPR)

  • Handling and processing of inquiries from interested parties (Art. 6, Para. 1 (f) GDPR)*
  • Checks of sanction lists (Art. 6, Para. 1 (c) GDPR) in the sense of Council Regulation (EC) No. 2580/2001 on specific restrictive measures directed against certain persons and organizations with a view to combating terrorism and Council Regulation (EC) No. 881/2002 against persons and entities associated with Usama bin Laden, the Al-Qaida network, and the Taliban)
  • Preparation of quotations for interested parties (Art. 6, Para. 1 (f) GDPR)*
  • Conclusion of purchase agreements (Art. 6, Para. 1 (f) GDPR)*
  • Compliance with legal obligations (Art. 6, Para. 1 (c) GDPR)
  • Support for processing by service providers (Art. 28 GDPR)
  • Fulfillment of orders and delivery (Art. 6, Para. 1 (c) GDPR)
  • Performance of marketing activities (Art. 6, Para. 1 (a) GDPR)
  • Handling of complaints (Art. 6, Para. 1 (c) GDPR)

*Interests of the responsible controller when weighing legitimate interests (Art. 13, Para. 1 (d) GDPR)

  • Raising legal claims and defending in the event of legal disputes
  • Ensuring the company’s IT security and IT operation
  • Preventing criminal acts
  • Measures to manage business activities and develop services and products further

 

Recipients or categories of recipients of personal data (Art. 13, Para 1 (e) GDPR)

Government bodies, banks, auditors, software developers, associated companies, disposal service providers, advertising agencies, IT service providers, other providers of products and services
We also use the “Insights Tag” service of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (in the following, “LinkedIn”) to systematically present our offering to potential customers and determine the conversion rate. For these purposes, we communicate data such as your name, email address, and possibly current employer, provided that you have given your consent for us to do so. More information on this service provider is available at https://www.linkedin.com. The privacy policy of LinkedIn is available at the following link: https://www.linkedin.com/legal/privacy-policy. You can find information on LinkedIn’s policy on cookies here: https://www.linkedin.com/legal/cookie_policy. To ensure an appropriate standard of data protection when processing data in third countries, we conclude standard contractual clauses with the processing parties; the job processing contract with LinkedIn and information on the standard contractual clauses can be read here: https://legal.linkedin.com/dpa. If you do not wish for LinkedIn to process your data, you can use the following link to opt out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfer to third countries (Art. 13, Para. 1 (f) GDPR)
Apart from the data provided to LinkedIn as described above, we do not currently transfer any other data to third countries.
In case data are transferred to any third countries at some future time, this will always be done in compliance with the legal requirements defined in Art. 45 GDPR in conjunction with Art. 46 (5) sentence 2 GDPR, according to which authorizations already made on the basis of Directive 95/46/EC will remain valid until amended, replaced or repealed. The EU Commission has established that the EU-U.S. Privacy Shield (declared invalid on July 16, 2020) provided an appropriate level of data protection (C (2016) 4176 final).

Duration of storage according to statutory storage obligations (Art. 13, Par. 2 (a) GDPR)
As a rule, personal data are deleted within 10 years after the termination of a contractual relationship, or sooner if a prospect fails to turn into a customer.

Right to request access to and the rectification or erasure of personal data and object to their processing (Art. 13, Para. 2 (b) GDPR)
As a data subject, you have the right to request information on your data, to have them corrected or deleted, to limit processing of them, and to port them. If you wish to exercise any of these rights, please notify the responsible officer using the provided contact data.

Right to object (Art. 21, Para. 1 GDPR)
Even if your data are processed in the pursuit of legitimate interests, you have the right to object to such processing at any time using the contact data we have provided if reasons for you to do so arise from your particular situation. In such a case, we will cease to process them unless it serves overriding legitimate interests on our part.

Right to withdraw consent (Art. 13, Para. 2 (c) GDPR)
If you have consented to the processing of your data, you have the right to withdraw this consent at any time without this affecting the lawfulness of our having processed them based on your consent beforehand. To do so, please notify the responsible individual using the provided contact data.

Right to lodge a complaint (Art. 13, Para. 2 (d) GDPR)
As a data subject, you may submit complaints at any time to the data protection commissioner of the German state of Baden-Württemberg: phone +49 (0) 711 / 61 55 41-0, email poststelle@lfdi.bwl.de.

Existence of a need to provide personal data (Art. 13, Para. 2 (e) GDPR)
The captured data are required for processing inquiries, preparing offers, concluding purchase agreements, and/or otherwise conducting business.

 

 

Obligation for suppliers and service providers to provide information

Purposes of and legal basis for processing data (Art. 13, Para. 1 (c) GDPR)

  • Purchasing and provision of support services for business purposes (Art. 6, Para. 1 (f) GDPR)*
  • Meeting of legal obligations (Art. 6, Para. 1 (c) GDPR)
  • Sending of informational materials (Art. 6, Para. 1 (b) GDPR)

*Consideration of legitimate interests of the responsible party (Art. 13, Para. 1 (d) GDPR)

  • Assertion of legal claims and defense in the event of legal disputes
  • Ensuring the company’s IT security and operation
  • Prevention of criminal acts
  • Measures to manage the business and develop products and services further

 

Recipients or categories of recipients of personal data (Art. 13, Para. 1 (f) GDPR)
Government authorities, banks, auditors, disposal service providers.

Data transfer to third countries (Art. 13, Para. 1 (f) GDPR)
No data are currently transferred to third countries.

In case data are transferred to any third countries at some future time, this will always be done in compliance with the legal requirements as established in Art. 45 GDPR in conjunction with Art. 46 (5) sentence 2 GDPR, according to which authorizations already made on the basis of Directive 95/46/EC will remain valid until amended, replaced or repealed. The EU Commission has established that the EU-U.S. Privacy Shield (declared invalid on July 16, 2020) provided an appropriate level of data protection (C (2016) 4176 final).

Duration of storage pursuant to statutory obligations (Art. 13, Par. 2 (a) GDPR)
As a rule, personal data are deleted within 10 years after the termination of a contractual relationship. There are exceptions in which either longer storage is required by law and/or the affected individual withdraws..

Right to request access to and rectification or erasure of personal data and to object to processing (Art. 13, Para. 2 (b) GDPR)
As a data subject, at all times you have the right to request information on your data, to have them corrected or deleted, to limit processing of them, and to port them. If you wish to exercise any of these rights, please notify the responsible officer using the provided contact data.

Right to object (Art. 21, Para. 1 GDPR)
To the extent that your data are processed in the pursuit of legitimate interests, you have the right to object to such processing at any time if, in the light of your particular situation, there are grounds for you to do so. In such a case, we will cease processing them unless we can demonstrate compelling legitimate reasons to continue doing so.

Right to withdraw consent (Art. 13, Para. 2 (c) GDPR)
To the extent that you have consented to the processing of your data, you have the right to withdraw this consent going forward without affecting the lawfulness of processing based on your consent prior to its withdrawal. To do so, please address the responsible department using the contact data provided below

Right to lodge a complaint (Art. 13, Para. 2 (d) GDPR
As a data subject, you are entitled to submit complaints at any time to the data protection commissioner of the German state of Baden-Württemberg: phone +49 (0) 711 / 61 55 41-0, email poststelle@lfdi.bwl.de.

Existence of a need to provide personal data (Art. 13, Para. 2 (e) GDPR)
The captured data are required for initiating, conducting, and terminating business relationships.

 

 

Obligation of applicants to provide information

Purpose and legal basis of data processing (Art. 13, Para. 1 (c) GDPR)

  1. Processing of applications / e-recruiting (Art. 26, Para. 1 of the new version of the German Federal Data Protection Act)
  2. Addition to a pool of applicants for contacting at a later time (Art. 6, Para. 1 (a) GDPR

Interests of the controller when weighing interests (Art. 13, Para. 1 (d) GDPR)
Not applicable.

Recipients or categories of recipients of the personal data (Art. 13, Para. 1 (d) GDPR)
Personnel service providers, payroll offices, the provider of the software-based applicant website, disposal service providers.

Transfer to third countries (Art. 13, Para. 1 (f) GDPR)
No data are transferred to any third countries.

Legally prescribed duration of storage (Art. 13, Para. 2 (a) GDPR)
Personal data are deleted six months after the end of the application process while considering Art. 61b, Para. 1 of the German Labor Court Act in conjunction with Art. 15 of the German Equal Treatment Law. If an applicant is added to the applicants’ pool, their data are deleted after two years if it is not possible to offer them an appropriate position.
In the event that an applicant is employed, the required data are transferred to their personnel file. Regarding the deletion of data, please refer to the obligation to provide notification when processing employee data.

Right to object (Art. 21, Para. 1 GDPR)
To the extent that your data are processed in the pursuit of legitimate interests, you have the right to object to such processing at any time if, in the light of your particular situation, there are reasons for you to do so. In such a case, we will cease processing them unless we can demonstrate compelling legitimate grounds to continue doing so.

Right to withdraw consent (Art. 13, Para. 2 (c) GDPR)
To the extent that you have consented to the processing of your data, you have the right to withdraw this consent going forward without affecting the lawfulness of processing based on your consent prior to its withdrawal. To do so, please notify the responsible department using the contact data provided below.

Right to request access to and rectification or erasure of personal data and to object to processing (Art. 13, Para. 2 (b) GDPR)
As a data subject, you have the right at all times to request information on your data, to have them corrected or deleted, to limit processing of them, and to port them. If you wish to exercise any of these rights, please notify the responsible officer using the provided contact data.

Right to lodge a complaint (Art. 13, Para. 2 (d) GDPR)
As a data subject, you are entitled to submit complaints at any time to the data protection commissioner of the German state of Baden-Württemberg: phone +49 (0) 711 / 61 55 41-0, email poststelle@lfdi.bwl.de.

Existence of a need to provide personal data (Art. 13, Para. 2 (e) GDPR)
The captured data are required for processing inquiries, preparing offers, concluding purchase agreements and/or otherwise conducting business.

 

 

Obligation to provide information in the sense of Section 52 of the German Telecommunications Act in conjunction with Art. 13 GDPR

Service providers must, when concluding contracts with clients, inform them about the type, scope, place and purpose of data capture and use in a generally understandable manner so that they are aware of the principal ways in which the data are processed. The clients must also be informed of the permissible selection and organization options. The service providers must also provide the users with generally accessible information on how personal data are captured and used.
In the event that the protection afforded to personal data is violated, the affected participants or individuals may exercise their rights as stated in Section 109, Paragraph 1, Sentence 2 in conjunction with II.

Purpose of and legal basis for capturing and processing data (Section 52 of the German Telecommunications Act (TKG) in conjunction with Art. 13, Para. 1 (c) GDPR)

  • Conclusion of contractual relationships (Sections 52 ff. in conjunction with Section 3, No. 6 of the German Telecommunications Act)
  • Order processing and delivery (Sections 52 ff. in conjunction with Section 3, No. 6 of the German Telecommunications Act)
  • Modification and termination of the contractual relationship (Sections 54-57 ff. in conjunction with Section 3, No. 6 of the German Telecommunications Act)
  • Handling of complaints (Art. 6, Para. 1 (c) GDPR)
  • Setup and maintenance of telecommunications systems and traffic data required for billing purposes (Section 9, Para. 1 of the German Telemedia Act)
  • Compliance with legal obligations (Art. 6, Para. 1 (c) GDPR)
  • Determination and billing of charges (Section 10 of the German Telemedia Act)
  • Provision of information to subscribers, advertising, market research, and communication of another user’s call requests (Art. 6, Para. 1 (a) GDPR)
  • Marketing and appropriate design of telecommunications services to meet requirements, provision of services with additional benefits (Art. 6, Para. 1 (a) GDPR)
  • Support for operational processes by service providers (Art. 28 GDPR)
  • Fixing of problems in telecommunications systems (Section 12, Para. 1 of the German Telemedia Act)
  • Prevention of misuse of telecommunications services (Section 12, Para. 1 of the German Telemedia Act)

*Interests of the controller when weighing interests (Art. 13, Para. 1 (d) GDPR)

  • Ensuring IT security and the company’s IT operations
  • Prevention of criminal acts

 

Type and scope of personal data (Art. 52, Para. 1 of the German Telecommunications Act)
The following data are captured to the indicated extents within the scope of our telecommunications services:

  • Names of the company and contact, address of the company, telephone number and email address of the contact, account data of the company.
  • Date and time of access/initiation of telephone calls, beginning and end of connections, number/ID of involved connections/terminal devices, involved IP addresses, transmitted data volumes (traffic data).

Recipients or categories of recipients of personal data (Art. 13, Para 1 (e) GDPR)
Government bodies, banks, auditors, software makers, associated companies, disposal service providers, advertising agencies, IT service providers, other providers of products and services

Data transfer to third countries (Art. 13, Para. 1 (f) GDPR)
We do not currently transfer any other data to third countries.
In case data are transferred to any third countries at some future time, this will always be done in compliance with the legal requirements defined in Art. 45 GDPR in conjunction with Art. 46 (5), Sentence 2 GDPR.

Dialing and design options as per Section 52, Para. 1 of the German Telecommunications Act in conjunction with Section 11 of the German Telemedia Act
The following selections and options are available to you within the scope of your telecommunications contract in accordance with Section 11 of the German Telemedia Act:

  • Itemized bills
  • List of subscribers

If you need more detailed information on the choices available to you, please send an email to connect@starface.de.

Duration of storage according to statutory storage obligations (Art. 13, Par. 2 (a) GDPR)

Personal data are deleted when they are no longer needed. Existing data are deleted one year after the end of the calendar year after the termination of the contract. If there is a legal obligation to store data for longer (as a rule, six to 10 years), they are deleted when this term expires.

Traffic data are immediately deleted upon the end of a relationship, unless they are relevant for invoicing purposes. Data relevant for invoicing purposes are deleted six months after the corresponding invoice is sent. If objections are raised on an invoice, it is not deleted until they have been definitively clarified.

 

Rights of the subject to information, erasure, revocation, and objection (Section 169, Para. 1, Sentence 2 and Para. 2 of the German Telecommunications Act in conjunction with Art. 13, Para. 2 (b) GDPR

As a data subject you may at any time exercise your right to information, restriction of processing, data portability, and rectification and deletion of your data. To do so, please contact the responsible individual using the provided contact data.

Right to object (Art. 21, Para. 1 GDPR)
To the extent that your data are processed for legitimate reasons, you have the right to object at any time to this processing by contacting us using the provided contact information if, due to your particular situation, there are reasons to oppose it. We will then cease to process your data unless there are compelling legitimate grounds for continuing to do so.

Right to withdraw consent (Art. 13, Para. 2 (c) GDPR)
To the extent that you have consented to the processing of your data, you have the right to withdraw this consent going forward without affecting the lawfulness of processing based on your consent prior to its withdrawal. To do so, please address the responsible department using the contact data provided below.

Right of complaint
As an affected data subject, you may complain to the German Federal Commissioner for Data Protection and Freedom of Information if you believe that data protection rules have been violated in connection with capturing, processing, or using your personal data.

The German Federal Commissioner for Data Protection and Freedom of Information:

Husarenstrasse 30
53117 Bonn
Germany
Phone: +49 228-997799-0
Email: poststelle@bfdi.bund.de

Existence of a need to provide personal data (Art. 13, Para. 2 (e) GDPR)
The provision of personal data is prescribed by law for safeguarding telecommunications, and especially for the purposes of repairing malfunctions in telecommunications systems and preventing the abuse of telecommunications services in accordance with Section 12, Para. 1 of the German Telemedia Act. Data must also be provided for establishing, configuring the details, altering, and terminating a contractual relationship for providing telecommunications services.

Secrecy of telecommunications in accordance with Section 3 of the German Telemedia Act
The content of telecommunications, all relevant information on participants in telecommunications processes, and unsuccessful connection attempts are subject to secrecy.