Data protection information: Customers and interested parties

Data protection information: Management and documentation of offers and orders from customers

We would like to inform you about how we handle your personal data and what rights you have under therights you are entitled to under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).Responsibility for data processing lies with the organization Rhein-Nahe Nahverkehrsverbund GmbH (hereinafter referred to as "we" or "us").

 

Responsibilities

Responsible for the processing of your personal data is

Rhein-Nahe Nahverkehrsverbund GmbH Silke Meyer

Bahnhofstraße 2

55218 Ingelheim am Rhein Germany

Telephone: 061 32 - 78 96-22

E-mail: service@rnn.info

 

Contact details of the data protection officer

You can reach our data protection officer using the following contact details

DSBOK GmbH

Oliver Krause Untergasse 2

E-mail: ok@dsbok.de Telephone: 01605384727

 

General information on the legal basis of data processing

"Personal data" is all information that relates to a specific person.We process this data in accordance with the applicable data protection laws, in particular the GDPR and the BDSG.We may only process personal data if we have legal permission to do so.

 

We only process personal data with your consent in order to enter into a contract with youor to respond to your request in connection with a potential business relationshipto fulfill legal obligations or to protect our legitimate interests, provided that this does not affect your interests or fundamental rights and freedoms that require the protection of personal data.

 

Storage duration of personal data

 

We only store your data for as long as is necessary to achieve the purpose of the processing or to fulfillcontractual or legal obligations, unless otherwise stated in the following information.Statutory retention obligations may arise from commercial or tax regulations.After the end of the calendar year in which we collected the data, we will retain personal data contained in our accounting records for a period of ten years.for ten years and personal data contained in business letters and contracts for six years.

Furthermore, we will retain data in connection with consents requiring proof as well as complaints and claims for the duration of the statutory limitation periods.Data stored for advertising purposes will be deleted if you object to processing for this purpose.

 

Processing when exercising your rights

If you wish to exercise your rights in accordance with Articles 15 to 22 of the GDPR, we will process the personal data youpersonal data provided by you in order to implement these rights and to be able to provide proof of this.We will process the data stored for the purpose of providing information and preparation exclusively for this purpose andfor the purposes of data protection control and otherwise restrict processing in accordance with Article 18 of the GDPR.

 

These processing operations are based on the legal basis of Article 6(1)(c) of theGDPR in conjunction with Articles 15 to 22 of the GDPR and Section 34(2) of the BDSG.

 

Rights of the data subject

The General Data Protection Regulation (GDPR) guarantees every data subject certain rights in relation to their personal data. These include:

 

  • The right of access:Every data subject has the right to obtain confirmation from us as to whether or not personal data is beingdata is being processed and to information about this data as well as further information and copies of this data.
  • The right to rectification: Every data subject has the right to request the rectification of inaccurate personal data without undue delay.
  • The right to erasure ("right to be forgotten"): Every data subject has the right to request the erasure of their personal data without undue delay.
  • The right to restriction of processing: Every data subject has the right to request the restriction of the processing of their personal data.
  • The right to data portability:Every data subject has the right to receive the personal data concerning them, which they have provided to us, in a structured, commonly used and machine-readable format.
  • Right to object: Every data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art.6 para. 1 lit. e or f GDPR, to file an objection.If we process personal data about the data subject for the purpose of direct marketing, the data subject may object to this processing in accordance with Art. 21 (2) and (3) GDPR.Art. 21 para. 2 and para. 3 GDPR.

 

The data subject also has the right to lodge a complaint with a supervisory authority ifthey believe that the processing of their personal data violates the GDPR.

 

The supervisory authority responsible for us is: The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate

 

Right to object to the collection of data in special cases and to

direct advertising (Art. 21 GDPR)

 

IF THE DATA PROCESSING IS CARRIED OUT ON THE BASIS OF ART. 6 PARA. 1 LIT.E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION,TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS.THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY.

 

IF YOU LODGE AN OBJECTION, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNEDWILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDSFOR THE PROCESSING THAT OUTWEIGH YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES THE ASSERTION, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR).

 

IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSE OF DIRECT MARKETING,YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNINGPERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING;THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING.

ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE

DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION PURSUANT TO ART. 21 PARA. 2 GDPR).

 

Information on the processing of personal data

Purpose of the processing

We process your personal data insofar as this is necessary to fulfill the following purposes

 

  • Establishment, execution and termination of service contracts
  • Communication with customers and interested parties
  • Communication with end customers and interested parties
  • Marketing and advertising purposes
  • Analysis and evaluation of website activities
  • Fulfillment of a legal obligation
  • Technical instrument of the website
  • Provision of a website
  • Communication with external parties
  • Cookie consent
  • Establishment, execution and termination of sales contracts

 

Legal basis

The legal basis for the processing of your personal data for the above-mentioned purposes is/are

 

  • Fulfillment of the contract (Art. 6 para. 1 lit. b GDPR)
  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR)
  • Employment relationship (Art. 6 para. 1 lit. b GDPR, § 26 BDSG-new, Art. 88 GDPR)

 

Sources of the personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data.

 

  • Voluntary self-disclosure
  • Collected from the data subject
  • Automatic transmission for technical reasons
  • Data collected by means of online tools/procedures
  • Automatic transmission for technical reasons
  • Online form
  • Public data accessible to everyone
  • Contract data

 

Categories of personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject of the categories of data concerned.

 

  • Inventory data
  • Contact data
  • Customer administration
  • Content data
  • Personal identification data
  • Electronic identification data
  • Contract data
  • Usage data
  • Meta/communication data
  • Use of media and means of communication
  • User accounts
  • Complaint content
  • Penalizable processes
  • Normal tickets
  • Current job
  • Professional qualification
  • Professional activities

 

Legitimate interests

The indication of the "legitimate interests" of the controller or the third party pursued with the processing of

 

processing of personal data refers to Art. 6 para. 1 sentence 1 lit. f GDPR.

 

  • See privacy policy
  • Our legitimate interest lies in the efficient and secure management of customer inquiries, offers, orders and the associated communication.

 

Storage duration

We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration.

 

  • 10 years after the annual financial statements, excluding other statutory retention periods
  • 1 year, at the end of the year or after withdrawal of consent, excluding other statutory retention periods
  • Deletion at the end of necessity (e.g. for ongoing customer relationships, legal proceedings, etc.)
  • 1 year, at the end of the year, except for other statutory retention periods
  • After the specified duration of the cookie lifetime (different for each cookie)
  • Until consent is withdrawn, except for other statutory retention periods
  • When the employee leaves the company

 

Possible consequences of non-provision

The provision of personal data by the data subject may be required by law or contract or may be necessary for the conclusion of a contract.There may also be a legal obligation to provide the data.

 

Failure to provide the personal data could result in the following consequences

 

  • Access to services or benefits is denied
  • Compliance with legal or contractual obligations is not possible

 

Data recipients

Recipients of the personal data outside the organization

Article 4(9) of the General Data Protection Regulation (GDPR) defines the term "recipient" as "the natural or legal person, public authority, agency or any other body to whom personal data are disclosed".or any other body to which personal data are disclosed, whether or not it is a third party".

 

  • vedisys AG
  • Hubspot Inc.
  • Microsoft Germany GmbH
  • Signum GmbH
  • Hetzner Online GmbH
  • CookieBot - Usercentrics A/S
  • Openstreetmap Foundation

 

General information for data transfer to third countries

As part of our data processing activities, certain personal data may be transferred to countries where the

 

countries in which the EU General Data Protection Regulation (EU GDPR) is not applicable law (so-called third countries).Such a transfer is only permitted if the European Commission has determined that an adequate level of data protection is guaranteed in the third country in question.If there is no such adequacy decision by the European Commission, personal data may only be transferred to a third country if suitable guarantees in accordance with Art.46 GDPR or if one of the requirements of Art. 49 GDPR is met.

 

Unless otherwise stated below, we use the EU standard data protection clauses as appropriate safeguards for the transfer of personal data to third countries.The data subject has the right to obtain a copy of these EU standard data protection clauses or to inspect them.For this purpose, it is recommended to contact the contact details provided under Responsibilities.

 

Insofar as the data subject expressly consents to the transfer of personal data, the transfer takes place on the legal basis of Art. 49 para. 1 lit. a GDPR.

 

Adequacy decision of the EU Commission

A transfer of personal data to a country outside the European Union (EU) andthe European Economic Area (EEA) or to an international organization is permitted if the European Commission hasCommission has determined that the country, territory or one or more specific sectors within that country or the international organization in question ensures an adequate level of protection.

 

We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA) for which an adequacy decision exists:

 

  • Hubspot Inc (United States of America)
  • Microsoft Deutschland GmbH (United States of America)
  • Openstreetmap Foundation (United Kingdom)

 

Automated decision-making and profiling

Automated decision-making including profiling in accordance with Art. 22 GDPR does not take place.We therefore do not process personal data in order to automatically evaluate, analyze or predict personal aspects and do not make decisionsbased solely on automated processing that produces legal effects concerning you or similarly significantly affects you.