GTÜ Zertifizierungsstelle GmbH

Data pro­tec­tion in­for­ma­tion for data sub­jects ac­cord­ing to Art. 13 GDPR & Art. 14 GDPR

1. Data controller under data protection law

The data controller under data protection law is GTÜ Zertifizierungsstelle GmbH, Vor dem Lauch 25, 70567 Stuttgart (hereinafter also referred to as „we“ or „GTÜZ“).

2. Contact details for the data protection officer

You may contact our data protection officer at the following e-mail address: datenschutz@gtue.de

We would like to point out that when using this e-mail address, the contents are not exclusively noted by our data protection officer. If you wish to exchange confidential information, we therefore ask you to first contact our data protection officer directly via this e-mail address without a more detailed description of the facts.

3. Purposes of data processing, type of data and the legal basis/legitimate interests

We collect and process your personal data for the performance of the contract, e.g. the preparation of offers, performance of certification activities, performance of remote audits, invoicing and quality assurance as well as data for communication and correspondence that we receive based on the contractual relationship in accordance with Art. 6 (1) sentence 1 (b) GDPR (fulfilment of the order/contract). We also use your contact data to maintain contact and to provide information concerning our offers in accordance with Art. 6 (1) sentence1 (f) GDPR (balancing of interests).

Your data is processed based on Art. 6 (1) sentence 1 (f) GDPR (balancing of interests). The data processing is necessary to establish and maintain business relationships and so to protect the controller's legitimate interests.

We process the following categories of personal data:

  • Name and address
  • Telephone number and e-mail address
  • Customer data
  • Your message

4. Recipient categories

Recipients of your personal data are

  • GTÜZ employees
  • Public bodies in the case of overriding legal regulations, e.g. a tax office, DAkkS, KBA
  • External service providers or other contractors, e.g. for data processing and hosting, for audit implementation and audit assessment and for credit rating information
  • Other recipients, insofar as we are legally obligated to do so

In principle, your data will not be transferred to a third country outside the EU/EEA. However, it cannot be ruled out that data may be transferred to a third country due to legal regulations or requirements.

5. Storage period

The period of the data storage depends on the statutory retention obligations and is usually 10 years.

6. Your rights

If we process your personal data, you will be „data subject“ within the meaning of the GDPR. You have the following rights if the statutory requirements are met: right to information, right to rectification, right to restriction of processing, right to erasure, right to information and right to data portability. In addition, you have a right to object, a right to withdraw consent and the right to lodge a complaint with a supervisory authority.

The individual rights are detailed below:

a. Right to information

You have the right to request us to confirm whether we are processing your personal data. If we process your personal data, you have the right to obtain information in particular about the data processed, the purposes of processing, categories of personal data, recipients or categories of recipients and, if applicable, the storage period.

b. Right to rectification

You have the right to correct and/or complete the personal data we have stored relating to you if this personal data is incorrect or incomplete. We will then immediately correct or complete the information.

c. Right to restrict processing

You have the right to request that we restrict the processing of your personal data under certain circumstances. For example, if you dispute the accuracy of your personal data and we are obliged to verify the accuracy for a certain period of time. For the duration of the verification, your personal data will only be processed in a restricted form. Another example of restriction is if we no longer need your personal data, although you need it for litigation purposes.

d. Right to erasure

In certain circumstances you have the right to request that we delete your personal data immediately. This would apply, for example, if we no longer require your personal data for the purposes for which we collected the data or if we have processed your data unlawfully. Another example would be if we process your data based on your consent, you withdraw your consent and we have no other legal basis for processing your data. However, your right to erasure does not apply in all circumstances. We may, for example, process your personal data to comply with a legal obligation or we may require it for litigation purposes.

e. Right to be informed

If you have exercised your right to rectify, erase or restrict the processing of your data, we are obliged to notify all recipients to whom we have disclosed your personal data of such rectification, erasure or restriction of the processing of your personal data, unless this is not feasible or entails a disproportionate expenditure of effort.

f. Right to data portability

Under certain circumstances, you have the right to receive the personal data you submitted to us in a structured, commonly-used and machine-readable format and the right to request that this personal data be transferred to another controller.

This is the case if we process personal data either on the basis of your consent or based on a contract with you and if we process the personal data using automated processes.

You have the right to request us to transfer your personal data directly to another controller, insofar as this is technically feasible and does not affect the freedoms and rights of other persons.

This right to data portability does not apply if the processing is necessary to perform a duty which is in the public interest or to exercise the official authority vested in us.

g. Right to withdraw consent

You may revoke consent given to us at any time with effect for the future. A revocation of consent will not affect the lawfulness of the data processing carried out on the basis of the consent until the time of revocation.

You may send a revocation by e-mail to datenschutz@gtue.de

h. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority for data protection without prejudice to any other administrative or judicial remedy. In particular, you may exercise your right to lodge a complaint in the Member State of your residence, workplace or the place of the alleged infringement if you consider that the processing of your personal data infringes the provisions of the GDPR.

An overview of the respective data protection commissioners of the federal states; their contact details can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (www.bfdi.bund.de/EN).

7. Updates and amendments to this privacy policy

Date: September 2022

Version: 2.1

Right to object according to Art. 21 GDPR

You have the right to object at any time to the processing of your personal data based on Art. 6 (1) sentence 1 (f) GDPR for reasons that arise from your particular situation.

We will cease to process your personal data following your objection unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

If we process your personal data for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing. If you object to the processing of your personal data for direct marketing purposes, we will cease to process such data for these purposes.

You may send an objection by e-mail to datenschutz@gtue.de.