Privacy Policy of GTÜ Gesellschaft für Technische Überwachung mbH

We as the operators of the website www.gtue.de (also "website") are the data controllers within the meaning of the applicable data protection laws, in particular the General Data Protection Regulation ("GDPR"), for the personal data of the user ("you") of this website.

The following information is designed to clarify which data is processed about you when you visit our website and the legal basis for such processing within the scope of our information obligations (Art. 13 et seq. GDPR). We will also inform you about how we protect your data from a technical and administrative perspective, and rights you have vis-à-vis us and the competent supervisory authority.

1. Information about the controller

GTÜ Gesellschaft für Technische Überwachung mbH
Vor dem Lauch 25 · 70567 Stuttgart
Phone: 0711 97676-0
Fax: 0711 97676-199
Email: info@gtue.de

2. Data protection officer

We have a company data protection officer:

Florian Klytta
c/o DS-Compliance GmbH
Carlsplatz 24 · 40213 Düsseldorf
Email: datenschutzbeauftragter@gtue.de

3. Processing of your personal data

a. Use our website for information only

When you access our website just to visit, log files are automatically saved by our system and processed.

The following log files are processed automatically:

  • IP address of the requesting computer
  • Type of Internet browser used
  • Version of the Internet browser used
  • Operating system and version
  • Websites accessed
  • Date and time of the visit
  • Access status/http status code
  • Amount of data transferred

The log files contain your IP address and potentially other personal data. Assignment to individuals is therefore possible in principle. However, we only store your data temporarily and, in particular, not combined with other personal data.

The processing of the above data is necessary for us to provide our website to you. We also store the data for the purpose of the security of our information technology systems. These purposes also constitute our legitimate interest in processing the data on the legal basis of Art. 6 (1) lit. f GDPR. The log files, which also contain your IP address, are deleted or anonymised immediately after they are no longer required to achieve the aforementioned purposes, but no later than after 14 days.

b. Contact form

You can use our contact forms to contact us electronically, e.g. to provide feedback, to send queries or to merely request us to send reminders regarding your annual vehicle inspection. If you use this option, we process the data you submitted in the contact form:

  • Email address (to contact you)
  • Salutation, name (to prevent abuse or misuse)
  • Telephone number (to contact you)
  • Postcode (for the annual vehicle inspection reminder only)
  • Vehicle registration number (for the annual vehicle inspection reminder only)
  • Next vehicle inspection (for the annual vehicle inspection reminder only; for the time allocation of the information)
  • Your message

In addition to the data you provide to us voluntarily, we record the time (date and time) of the transmission of your data to us and your IP address. The processing of this data is based on our legitimate interest (Art. 6 (1) lit. f GDPR) to ensure the security of our systems and to prevent the abuse or misuse of such. This data, which we also collect during your contact with us, is deleted as soon as it is no longer required, and no later than when the subject matter of your contact has been clarified in full.

By sending the contact form, you consent to the processing of your data by us. The legal basis for processing your data to respond to your contact is Art. 6 (1) lit. a GDPR. The data is stored until it is no longer required to achieve the purpose of the dialogue with you and the subject matter of your contact has been clarified in full.

If the purpose of your contact is to enter into a contract with us, the additional legal basis for processing your personal data is Art. 6 (1) lit. a GDPR. This data is stored for as long as it is required to perform the contract. Furthermore, we only store your data to comply with the relevant contractual or legal obligations (e.g. tax obligations) (Art. 6 (1) lit. b and c GDPR).

c. Contact via email

You can also contact us via email. We will store the personal data you submitted in the email. No data is disclosed to third parties in this process. The data will only be processed to fulfil your contact. The legal basis for processing your personal data is Art. 6 (1) lit. f GDPR. The data is stored until it is no longer required to achieve the purpose of the dialogue with you and the subject matter of your contact has been clarified in full.

If the purpose of your contact is to enter into a contract with us, the additional legal basis for processing your personal data is Art. 6 (1) lit. b GDPR. This data is stored for as long as it is required to perform the contract. Furthermore, we only store your data to comply with the relevant contractual or legal obligations (e.g. tax obligations) (Art. 6 (1) lit. b and c GDPR).

You can withdraw your consent to the processing of your personal data at any time by sending us an email to datenschutzbeauftragter@gtue.de . In this case, all the personal data relating to the dialogue with you will be deleted, and we will be unable to continue such dialogue.

4. Vehicle owner

We collect and process your personal data as a vehicle owner which we receive when you request a service from us to carry out the activity commissioned by you in each case (e.g. annual vehicle inspection, exhaust emission inspection, safety inspection and/or acceptance within the meaning of § 19 (3) clause 1 no. 3 or 4 StVZO (German Road Traffic Licensing Act)) and to document and invoice such services.

As an officially recognised inspection organisation, we perform this activity using inspection engineers entrusted by us who work on our behalf and in our name.

We process the following categories of personal data:

  • Vehicle identification number (VIN)
  • Official vehicle registration number
  • Name and address of the vehicle owner (stated on the vehicle registration certificate)
  • Vehicle data (e.g. vehicle mileage, manufacturer key number, manufacturer designation)
  • Test data (e.g. braking values), defects detected / defect codes and, where applicable, test notes.
  • Place, time and result of the vehicle inspection

The legal basis for this processing is Art. 6 (1) clause 1 b) GDPR (fulfilment of the order/contract) and Art. 6 (1) clause 1 lit. c) GDPR (fulfilment of legal obligations to which we are subject, including Annex VIII of the StVZO, § 29a StVZO and § 34 FZV (German Vehicle Registration Law)).

We also use the name and contact details of the vehicle owner and the date the vehicle inspection sticker was issued to remind owners of the next vehicle inspection several weeks prior to the due date. The legal basis for this is Art. 6 (1) clause 1 f) GDPR (consideration of interests).

Our interests are promotional interests and to prevent the owner from committing an otherwise potential administrative offence or from incurring a fine through a timely reminder and to ensure safe road traffic.

We will be happy to remind you by email if you have consented to this or if the legal requirements are fulfilled and we have received the email address in connection with the services you have commissioned us to carry out. The legal basis for this address via email is § 7 UWG (German Unfair Competition Act) and, in the case of consent, Art. 6 (1) clause 1 a) GDPR.

Recipients of this data may be:

  • The GTÜ test engineer commissioned to carry out the inspection;
  • The GTÜ partner company;
  • The operator of a test station (workshop) who receives a proof of performance from us as a basis for the subsequent calculation of the test fee;
  • The competent registration authority in accordance with Annex VIII 3.1.4.4 StVZO if the result of the vehicle inspection is ‘unsafe for road use’;
  • The Federal Motor Transport Authority for recording in the Central Vehicle Register pursuant to § 29a
  • StVZO and § 34 FZV; and
  • The central authority in accordance with Annex VIIIe no. 8.3 StVZO.

Your data will not be transferred to a body in a third country.

We are subject to various statutory storage periods and obligations with respect to your data, for example arising from the StVZO and the Annexes to such, and mandatory storage periods under tax and commercial law. The longest period is ten years in accordance with § 147 AO (German Fiscal Code) and commences at the end of the calendar year in which we carried out the annual vehicle inspection.

5. Icon links to social networks

We use small icons on our website that indicate our website presence on third-party platforms (Facebook, Instagram, Twitter, YouTube, Wikipedia and Xing). These are hyperlinks, therefore no data is transferred from you automatically, but only when you click on the icons and a new tab opens in your browser for the third-party provider’s website.

6. Facebook Fan Page

www.facebook.com/GTUEmbH

We operate a fan page on the social media platform Facebook (Facebook Inc., Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland (hereinafter: "Facebook"), a link to which is displayed on our company website via the Facebook icon. If you do not click on the link, Facebook will receive no data from you. If you click on the link, for example to view our company Facebook page or to "like" our page, Facebook will receive data from you (the data received by Facebook also depends on whether you are logged in to Facebook with your user profile when you click on the page).

While Facebook uses this data at its own responsibility to, among others, create profiles, we can only see aggregated data on our company homepage, i.e. statistics that cease to have a personal attribution. These are called "Page Insights". The following link contains more information on Page Insights: www.facebook.com/legal/terms/information_about_page_insights_data

We have concluded an agreement with Facebook which regulates the joint responsibility for our Fan Page in accordance with the requirements of the GDPR. Please click the following link to view this agreement in the German language: www.facebook.com/legal/terms/page_controller_addendum

Facebook is therefore primarily responsible for the aggregated Insight data. In addition, Facebook will comply with all the obligations under the GDPR with respect to the processing of Insights data (inter alia Art. 12, 13 GDPR, Art. 15–22 GDPR and Art. 32–34 GDPR). We will notify Facebook in a timely manner if you send us a request regarding our Facebook Fan Page. Facebook will respond to the request in accordance with our agreement.

Our legitimate interest in processing personal data is based on the use and linking of different communication channels.

The processing is carried out on the following legal bases: Art. 6 (1) clause 1 lit. a and f GDPR (your consent to the setting of cookies and our legitimate interest in analysis, evaluation and marketing). The Facebook data policy is available at the following link: www.facebook.com/policy.php

We have concluded contracts with Facebook, including the standard contractual clauses, for the data transfer to the USA. For more information, please visit www.facebook.com/legal/technology_terms

Facebook is still certified under the Privacy Shield; however, this does not form the basis of our data transfers to the US. For more information, please visit: www.facebook.com/about/privacyshield and www.privacyshield.gov/participant?id=a2zt0000000GnywAAC

7. Other third-party content integrated on our website

YouTube

We integrate videos from YouTube owned by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (hereinafter "YouTube") to make our website offer more appealing. We use the privacy-enhanced mode so that information about you is only shared with YouTube if you click the video Play button to activate the video.

If you activate the video, YouTube may use cookies to collect information for analysis purposes and to improve the user experience. YouTube states that the data is processed in a pseudonymous form. However, if you are logged in to your Google or YouTube account, the data may be linked directly to your YouTube account.

For more information on data protection, including how long your data is stored by YouTube, please view Google's privacy policy at policies.google.com/privacy?hl=de&gl=de

If YouTube sets cookies when you actively click on and play a YouTube video on our site, we process your data on the basis of consent (Art. 6 (1) clause 1 lit. a GDPR) and based on our legitimate interests (Art. 6 (1) clause 1 lit. f GDPR). You can revoke your consent at any time by deleting the cookies from your browser.

The legal basis for the integration of the YouTube service on our website and the subsequent processing of your data is Art. 6 (1) lit. f GDPR.

YouTube/Google is still certified under the Privacy Shield, but we cannot rely on this for data transfer. YouTube/Google now relies on the standard contractual clauses for data transfers. For more information on this topic, please visit policies.google.com/privacy/frameworks?hl=de&gl=de
and on the Privacy Shield: www.privacyshield.gov/participant?id=a2zt000000001L5AAI and policies.google.com/privacy/frameworks?hl=de&gl=de

8. Applicant data

We display job vacancies in our team on our website and you can send your application by email. We process your data to manage the application procedure, which means that your application will be viewed by the employees who are responsible for pre-selection. We will neither disclose your data to third parties nor use it for other purposes.

Your applicant data will be stored by our company. If we reject your application, we will only store the data for as long as necessary and for a maximum period of six months, unless you provide consent to store the applicant data for a longer period to enable us to contact you after this time if necessary.

The legal basis for processing your data is § 26 BDSG (Federal Data Protection Act) and Art. 88 GDPR.

9. Use of service providers

We would like to point out that, when processing your personal data, we may use service providers with whom we have concluded order processing agreements (e.g. for website hosting). If processors in a third country (not within the EU) carry out the data processing, we ensure that the level of protection of your data guaranteed by the GDPR is not undermined (Art. 44 et seq. GDPR). The legal basis for the use of service providers is Art. 6 (1) clause 1 lit. f GDPR. The commissioning of service providers (specialists or other service providers in areas in which we cannot provide services) is in our legitimate interest. Please let us know if you would like to receive a copy of the appropriate or adequate safeguards (see point 1 above).

10. Matomo

We use the open-source software Matomo on our website to perform statistical analyses of visits to our website. For example, we receive statistical information about how many visitors use our site, which content is popular or if specific pages are not found.

When you access a page, information about the terminal device you are using is recorded (IP address and metadata or log files) and then immediately anonymised. As we host the Matomo software ourselves, no data is transmitted to third countries or other third parties.

We anonymise your IP address on the basis of our legitimate interests (Art. 6 (1) lit. f GDPR), as we use the statistical information to optimise our website content and anonymise such data to serve your best interests as far as possible. Immediate anonymisation means that we cannot assign the data to any persons or identifiers. No profiling is carried out.

We set two essential Matomo cookies (first-party cookies) that are technically necessary based on your selection of our cookies.

Name: MATOMO_SESSID
Purpose and duration: the cookie facilitates the Matomo opt-out feature. This is only set for a short period and is for security purposes (avoidance of cross-site request forgeries (CSRF)).

Name: _pk_ignore
Purpose and duration: Should a user decide to opt out, the cookie will store the information that no tracking should take place for 6 months.

The legal basis for processing personal data via cookies is Art. 6 (1) lit. f GDPR.

Cookies for our Matomo application are only set with your consent (Art. 6 (1) lit. a GDPR) (first-party cookies). These are the following cookies:

Name: _pk_id
Lifetime: 13 months
Purpose: The cookie stores a unique visitor ID.

Name: _pk_
Lifetime: 30 minutes
Purpose: The cookie stores information about your visit to our website.

Name: _pk_ref.x.xxxx
Lifetime: 6 months
Purpose: This is where we store the attribution information for reaching a goal we have set and from which website the visit to our site originated (referrer). We can then use our Matomo analysis tool to evaluate to what extent we are achieving our goals.

Cancellation: You can click here to withdraw your consent for the cookies at any time: Opt-Out or to delete the stored cookies from the browser via your browser settings. The lawfulness of the processing of personal data until the date of the withdrawal of consent shall remain unaffected by the cancellation.

It is not possible for us to clearly identify a person, as we work with anonymised IP addresses and pseudonymous cookie information. For more information on Matomo and the GDPR, please visit matomo.org/gdpr-analytics/

11. Your rights

When we process your data, you are a "data subject" within the meaning of the GDPR. You have the following rights: right of access, right to rectification, right to restrict processing, right to erasure, right to be informed and right to data portability. In addition, you have a right to object, a right to withdraw consent and the right to lodge a complaint with a supervisory authority.

The individual rights are detailed below:

a. Right of access

You have the right to request us to confirm whether we are processing your personal data. If we process your personal data, you have the right to obtain information in particular about the purposes of the processing, the categories of personal data, recipients or categories of recipients and, if applicable, the period of storage.

b. Right to rectification

You have the right to correct and/or complete the personal data we have stored about you if it is accurate or incomplete. We will then immediately correct or complete the information.

c. Right to restrict processing

You have the right to request that we restrict the processing of your personal data under certain circumstances. For example, if you dispute the accuracy of your personal data and we are obliged to verify the accuracy for a certain period of time. Your data will only be processed in a restricted form while we are verifying the data. Another example of the restriction of processing is if we no longer require your data, but you need it for litigation purposes.

d. Right to erasure

In certain circumstances you have the right to request that we delete your personal data immediately. This would apply, for example, if we no longer require your personal data for the purposes for which we collected the data or if we have processed your data unlawfully. Another example would be if we process your data based on your consent, you withdraw your consent and we have no other legal basis for processing your data. However, your right to erasure does not apply in all circumstances. We may, for example, process your personal data to comply with a legal obligation or we may require it for litigation purposes.

e. Right to be informed

If you have exercised your right to rectify, erase or restrict the processing of your data, we are obliged to notify all recipients to whom we have disclosed your personal data of such rectification, erasure or restriction of the processing of your data, unless this is not feasible or entails a disproportionate expenditure of effort.

f. Right to data portability

Under certain circumstances, you have the right to receive the personal data you submitted to us in a structured, commonly-used and machine-readable format and the right to request that this data be transferred to another controller. This applies when we process the data either on the basis of your consent or on the basis of a contract with you. We process the data using automated procedures.

You have the right to request us to transfer your personal data directly to another controller, insofar as this is technically feasible and does not affect the freedoms and rights of other persons.

This right to data portability does not apply if the processing is necessary to perform a duty which is in the public interest or to exercise the official authority vested in us.

g. Right to object

You have the right to object to the processing of your personal data at any time on grounds relating to your particular circumstances pursuant to Art. 6 (1) lit. e or lit. f GDPR. This also applies to profiling referred to in these provisions.

We will cease to process your personal data following your objection unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

If we process your personal data for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing. This also applies to profiling insofar as it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, we will cease to process such data for these purposes.

h. Right to withdraw consent

You have the right to revoke your consent at any time in accordance with Art. 7 (3) GDPR. The withdrawal of consent does not invalidate the lawfulness of the processing carried out up to the date of withdrawal of consent.

i. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority without prejudice to any other administrative or judicial remedy. In particular, you may exercise your right to lodge a complaint in the Member State of your residence, workplace or the place of the alleged infringement if you consider that the processing of your personal data infringes the provisions of the GDPR.

An overview of the respective data protection authorities in various federal states and the relevant contact details are available under the following link: www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

11. Updates and amendments to this privacy policy

Date: 10th of June 2021