Name and Address of the Data Controller
Alten- und Pflegeheim “Haus am Hirtenbach” Betrieb GmbH
Andreas Rau
Kolberger Straße 12
30952 Ronnenberg
Germany
Phone: 05109-5190-0
Email: [email protected]
Website: https://haus-am-hirtenbach.usumsystem.com
Your Rights as a Data Subject
The General Data Protection Regulation (GDPR) provides extensive rights for so-called “data subjects” in Chapter III, which we briefly explain to you regarding the processing of your personal data:
Right of Access
As a data subject, you may request information from the data controller as to whether your personal data is being processed. If so, you have the right to be informed about this data and to receive information about the purposes of processing, the categories of data, the recipients or categories of recipients, the planned storage period or the criteria for determining its duration, a reference to the respective right to rectification, erasure, restriction, or objection, a reference to the right to lodge a complaint with a supervisory authority, information about the origin of the data (if not collected from you), about the existence of automated decision-making including profiling, including meaningful information about the logic involved, its scope, and expected effects, and about the (planned) transfer to a third country or an international organization.
Right to Rectification
We will promptly correct any erroneous data records if you inform us accordingly.
Right to Erasure (Right to Be Forgotten)
If the processing is no longer necessary and the purpose of processing has ceased, or your consent has been withdrawn and there is no other legal basis for the processing, or you object to the processing without an overriding legitimate ground, or your personal data has been unlawfully processed, or the processing is required to fulfill a legal obligation, or it was carried out pursuant to Art. 8(1) GDPR, then we will forward your request for erasure to those third parties to whom your data was previously transmitted.
Right to Restriction of Processing
You may request the restriction of processing of your personal data if the accuracy of the data is contested (e.g., during a period enabling us to verify accuracy); the processing is unlawful but you oppose erasure and instead request restriction of use; we no longer need the data, but you require it for the establishment, exercise, or defense of legal claims; you have objected to the processing, pending determination of whether our legitimate grounds override yours.
Right to Data Portability
Where technically feasible and not affecting the rights and freedoms of other persons, we will — at your request — transmit your data to another recipient (controller).
Right to Object
If we collect or have collected and process personal data from you (on the basis of Art. 6(1)(e) or (f) or Art. 9(2)(a) GDPR), you have the right to object at any time (with future effect) to the data processing (including profiling). In exceptional cases, the objection may be ineffective, e.g., if we can demonstrate compelling legitimate grounds for the processing that override your interests, or the processing serves the establishment, exercise, or defense of legal claims. If we process your personal data for direct marketing purposes, you have the right to object at any time to this processing. This also applies to profiling insofar as it is related to such direct marketing. You also have the right to object to the processing of your data carried out for scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
Automated Individual Decision-Making Including Profiling
If we collect or have collected and process personal data from you, you have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you. Exceptions to this apply if the decision is necessary for entering into or performing a contract between you and us, or you have expressly consented to the processing. In any case, we implement appropriate measures to safeguard your rights and freedoms and your legitimate interests, which include at least the right to obtain human intervention on our part, to express your own point of view, and to contest the decision.
Right to Withdraw Data Protection Consent
You have the right to withdraw consent to the processing of personal data at any time.
Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority about our processing of personal data.
A list of the competent supervisory authorities in Germany can be found on the website of the Federal Commissioner for Data Protection or at the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.
Privacy Information for Visitors to Our Website (Part I)
The following information applies to data processing on our website in general. Where exceptions or additions differ from this information, they are described in detail in the respective sections.
Information on Data Security
We secure our website and other systems through technical and organizational measures against loss, destruction, access, modification, or distribution of your data by unauthorized persons. Despite regular checks, complete protection against all risks is not possible.
Legal Basis of Processing
We process personal data in accordance with the provisions of the GDPR, depending on the type and purpose of the processing as follows:
- Consent — Art. 6(1)(a) GDPR
- Performance of a Contract — Art. 6(1)(b) GDPR
- Pre-contractual Measures — Art. 6(1)(b) GDPR
- Fulfillment of Legal Obligations — Art. 6(1)(c) GDPR
- Protection of Vital Interests — Art. 6(1)(d) GDPR
- Safeguarding Our Legitimate Interests — Art. 6(1)(f) GDPR
Our Legitimate Interest
Our legitimate interest as defined in Art. 6(1)(f) GDPR is based on the conduct of our business activities to maintain our operational capability and secure the employment of our staff.
General Deadlines for Data Deletion
After the storage purpose ceases, the most common retention periods are generally six, eight, or ten years. However, other retention periods may also apply. Data deletion is carried out in accordance with our deletion policy, generally without delay, provided there is no retention obligation, necessity for contract fulfillment, or legitimate interest on our part. Please note that detailed information on the retention periods of cookies and other technologies, if our website uses them, may be found in a consent banner (cookie consent banner).
Deletion or Blocking of Personal Data
We store your personal data only for the period required to fulfill the specified purpose. After the purpose ceases and any applicable retention periods expire, your data will be deleted without delay. If deletion is not possible, the data will be blocked instead.
Collection of General Data and Information
When you visit our website, our web server collects certain general data and technical information — as shown in the following table:
| Data Collected | Purpose of Collection |
|---|---|
| Browser types and versions used | Correct display of page content |
| Operating system used, visitor origin (referrer, e.g., Google), subpages clicked | Optimization of our website content and our advertising |
| Date and time of access to the website, IP address, and Internet service provider of the visitor | Ensuring the permanent functionality of our IT systems (for website operation) and prevention of misuse |
| Other data and information for threat prevention in the event of attacks | Providing relevant information to law enforcement authorities in the event of a cyberattack |
Obligation to Provide Personal Data
Under certain conditions (e.g., due to legal or contractual regulations), you are obligated to provide us with your personal data. Examples of such processing:
| Type/Purpose of Processing | Necessity |
|---|---|
| Conclusion of a purchase contract (e.g., your address) | Fulfillment of contractual obligation (e.g., delivery of goods to your address) |
| In an employment context (e.g., transmission of data to the tax office) | Fulfillment of legal requirements (e.g., tax regulations) |
Data Transfer to Insecure Third Countries / Data Transfer to Non-DPF-Certified US Companies
This website uses tools from companies (1) based in so-called insecure third countries and/or (2) tools from US companies that are not certified under the EU-US Data Privacy Framework (DPF). Information about the tools used can be found in the text of the privacy information.
(1) If personal data of our website visitors is transferred to countries that are insecure under data protection law, a level of data protection comparable to the EU cannot be guaranteed there.
(2) A transfer of personal data to the USA is permissible if the recipient of this data holds a certification under the “EU-US Data Privacy Framework” (DPF) or has appropriate additional guarantees.
Privacy Information for Visitors to Our Website (Part II)
Where applicable, deviating from or supplementing the general information mentioned above, you will find details on individual data processing activities on our website below:
Website Hosting (SpaceNet AG)
A so-called hosting service provider is used to operate this website, on whose European servers the content of the website is stored. The hosting partner records certain metadata (including IP addresses of website visitors) in log files for verification purposes and to ensure system security.
The hosting service provider was carefully selected. All necessary measures have been taken to ensure data protection-compliant data processing (for example, the conclusion of a data processing agreement).
Our website is hosted by:
SpaceNet AG, Joseph-Dollinger-Bogen 14, 80807 Munich, Germany.
When you visit our website, we automatically collect and store information in so-called server log files. Your browser automatically transmits this information to our server or to the server of our hosting company. These are:
- IP address of the visitor’s device,
- Device used,
- Hostname of the accessing computer, visitor’s operating system,
- Browser type and version,
- Name of the retrieved file,
- Time of server request,
- Amount of data, and
- Information whether the data retrieval was successful.
This data is not merged with other data sources.
The personal data collected on this website is stored on the servers of the hosting company. In addition to the above-mentioned data, this may include contact requests, contact data, names, website access data, meta and communication data, contract data, and other data generated via a website.
The legal basis for the processing of this data is our legitimate interest (Art. 6(1)(f) GDPR) in the technically error-free presentation and optimization of this website. If the website is visited to enter into contract negotiations or to conclude a contract with us, Art. 6(1)(b) GDPR serves as an additional legal basis.
We have concluded a data processing agreement pursuant to Art. 28 GDPR with the hosting company.
Contact by Phone or Email
In accordance with legal requirements, you will find our phone number. If you choose this method of contact, we automatically store data to process your inquiries or to contact you. This data will not be passed on to third parties without your consent.
If contact is made by phone or via our email address for pre-contractual or contractual purposes, the processing of personal data by us is based on the legal basis of Art. 6(1)(b) GDPR. For all other contact made by you, the processing of personal data by us is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.
Privacy Information for Our Customers
With the following information, we inform you about how we process your data, which you have provided to us for the implementation of pre-contractual relationships or the contract with you within the framework of the customer relationship, and what rights you have in connection with this data processing:
Processing Purposes and Legal Basis
Your personal data is processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and other relevant data protection regulations. The processing and use of individual data depends on the agreed contractual service. You can find further details and additions to the processing purposes in the contract documents (including offers, forms, declarations of consent, and other information/documents provided to you).
Consent (Art. 6(1)(a) GDPR)
If you have given us consent to process personal data, the respective consent is the legal basis for the processing stated therein. You may withdraw consent at any time with effect for the future.
Fulfillment of Contractual Obligations (Art. 6(1)(b) GDPR)
We process your personal data for the performance of our contracts with you, i.e., in particular within the framework of our consulting contract. In addition, your personal data is processed for the implementation of measures and activities within the framework of pre-contractual relationships.
Fulfillment of Legal Obligations (Art. 6(1)(c) GDPR)
We process your personal data when this is necessary to fulfill legal obligations (e.g., commercial and tax laws). Furthermore, we process your data, where applicable, for the fulfillment of tax control and reporting obligations, for the archiving of data for data protection and data security purposes, and for auditing by the tax office and other authorities. In addition, the disclosure of personal data may become necessary in the context of official or judicial measures for the purposes of evidence collection, criminal prosecution, or enforcement of civil law claims.
Legitimate Interest of Ours or Third Parties (Art. 6(1)(f) GDPR)
We may also use your personal data on the basis of a balancing of interests to safeguard the legitimate interest of ourselves or third parties. This is done, for example, for the purposes of advertising or market research, if you have not objected to the use of your data, obtaining information and exchanging data with credit agencies if your order affects our risk capacity, and asserting legal claims and defense in legal disputes.
Categories of Personal Data
We process basic data about our contractual partner and contacts and the business relationship with our contractual partner, which we collectively refer to as master data. This includes in particular all information communicated to us when establishing the business relationship or that we have requested from our contractual partner or a contact person, such as personal data (name, date of birth, place of birth, nationality, marital status, profession/industry, and comparable data) and contact data (address, email address, phone number, and comparable data) and those data that we have recorded in connection with the establishment of the business relationship (such as in particular the details of the contracts concluded).
We further process personal data that arises during the business relationship, which may go beyond a mere change of master data and which we refer to as “transaction data.” This includes in particular information about the services you have received based on the contracts concluded, information about the services we have provided based on the contracts concluded, information that you or a contact person provide to us during the business relationship — either actively or in response to a request from us — and personal data that we receive from you, a contact person, or from third parties during our business relationship.
To the extent permitted by law, we also store personal data of third parties as part of master and transaction data. This includes, for example, data on the economic situation of our contractual partners when this is necessary to assess economic risks — such as payment defaults.
We also process personal data from publicly accessible sources (e.g., internet, media, press, commercial and association registers, registration registers). We process, if necessary for the provision of our services, personal data that we have lawfully received from third parties (e.g., address publishers, credit agencies).
Recipients of Personal Data
We pass on your personal data within our company to the departments that need this data to fulfill contractual and legal obligations or to implement our legitimate interest. In addition, processors commissioned by us (Art. 28 GDPR), service providers for supporting activities, and other controllers within the meaning of the GDPR may receive your data, in particular in the areas of IT services, logistics, courier services, printing services, external data centers, support/maintenance of IT applications, archiving, document processing, accounting and controlling, data destruction, purchasing/procurement, customer management, letter shops, marketing, telephony, website management, tax consulting, auditing services, credit institutions; public authorities and institutions where a legal or regulatory obligation exists requiring us to provide information, report, or transfer data or where data transfer is in the public interest; authorities and institutions based on our legitimate interest or the legitimate interest of the third party (e.g., to authorities, credit agencies, debt collection, lawyers, courts, experts, and supervisory bodies) and other entities for which you have given us your consent to data transfer.
Transfer of Your Data to a Third Country or International Organization
Data processing outside the EU or EEA does not take place.
Duration of Data Storage
Where necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract. In addition, we are subject to various retention and documentation obligations arising, among others, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention or documentation periods prescribed therein are up to 10 years beyond the end of the business relationship or pre-contractual legal relationship. Ultimately, the storage period is also determined by the statutory limitation periods, which, for example, under §§ 195 ff. of the German Civil Code (BGB), are generally three years but can be up to thirty years in certain cases.
Automated Decision-Making (Including Profiling)
We attend to you and your inquiry personally and generally do not use automated decision-making procedures and therefore no profiling pursuant to Article 22 GDPR.
Privacy Information for Our Suppliers and Business Partners
With the following information, we inform you about how we process your data, which you have provided to us for the implementation of pre-contractual relationships or the contract with you within the framework of the business relationship, and what rights you have in connection with this data processing:
Processing Purposes and Legal Basis
Your personal data is processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and other relevant data protection regulations. The processing and use of individual data depends on the agreed contractual service. You can find further details and additions to the processing purposes in our contract documents (and the exchanged offers, forms, declarations of consent, and other information/documents).
Consent (Art. 6(1)(a) GDPR)
If you have given us consent to process personal data, the respective consent is the legal basis for the processing stated therein. You may withdraw consent at any time with effect for the future.
Fulfillment of Contractual Obligations (Art. 6(1)(b) GDPR)
We process your personal data for the performance of the contracts concluded with you. In addition, your personal data is processed for the implementation of measures and activities within the framework of pre-contractual relationships.
Fulfillment of Legal Obligations (Art. 6(1)(c) GDPR)
We process your personal data when this is necessary to fulfill legal obligations (e.g., commercial and tax laws). Furthermore, we process your data, where applicable, for the fulfillment of tax control and reporting obligations, for the archiving of data for data protection and data security purposes, and for auditing by the tax office and other authorities. In addition, the disclosure of personal data may become necessary in the context of official or judicial measures for the purposes of evidence collection, criminal prosecution, or enforcement of civil law claims.
Legitimate Interest of Ours or Third Parties (Art. 6(1)(f) GDPR)
We may also use your personal data on the basis of a balancing of interests to safeguard the legitimate interest of ourselves or third parties. This is done, for example, for the purposes of asserting legal claims and defense in legal disputes, preventing and investigating criminal offenses, and managing and developing our business activities including risk management.
Categories of Personal Data
We process basic data about our contractual partner and contacts and the business relationship with our contractual partner, which we collectively refer to as “master data.” This includes in particular all information communicated to us when establishing the business relationship or that we have requested from you as a contractual partner or a contact person, such as personal data (name, date of birth, place of birth, nationality, marital status, profession/industry, and comparable data) and contact data (address, email address, phone number, and comparable data) and those data that we have recorded in connection with the establishment of the business relationship (such as in particular the details of the contracts concluded).
We further process personal data that arises during the business relationship, which may go beyond a mere change of master data and which we refer to as “transaction data.” This includes in particular information about our business partner’s activities that we can obtain ourselves or through third parties from publicly accessible sources; information about our business partner’s activities communicated to us by you or by third parties who work with you, possibly through a contact person; information about the services provided or received based on contracts already concluded; information that our contractual partner or a contact person provides to us during the business relationship — either actively or in response to a request from us; personal data that we receive from our contractual partner, a contact person, or from third parties during our business relationship.
To the extent permitted by law, we also store personal data of third parties as part of master and transaction data. This includes, for example, data on the economic situation of our contractual partners when this is necessary to assess economic risks — such as payment defaults.
We also process personal data from publicly accessible sources (e.g., internet, media, press, commercial and association registers, registration registers). We process, if necessary for the maintenance of our business relationship, personal data that we have lawfully received from third parties (e.g., address publishers, credit agencies).
Recipients of Personal Data
We pass on your personal data within our company to the departments that need this data to fulfill contractual and legal obligations or to implement our legitimate interest. In addition, processors commissioned by us (Art. 28 GDPR), service providers for supporting activities, and other controllers within the meaning of the GDPR may receive your data, in particular in the areas of IT services, logistics, courier services, printing services, external data centers, support/maintenance of IT applications, archiving, document processing, accounting and controlling, data destruction, purchasing/procurement, customer management, letter shops, marketing, telephony, website management, tax consulting, auditing services, credit institutions; public authorities and institutions where a legal or regulatory obligation exists requiring us to provide information, report, or transfer data or where data transfer is in the public interest; authorities and institutions based on our legitimate interest or the legitimate interest of the third party (e.g., to authorities, credit agencies, debt collection, lawyers, courts, experts, and supervisory bodies) and other entities for which you have given us your consent to data transfer.
Transfer of Your Data to a Third Country or International Organization
Data processing outside the EU or EEA does not take place.
Duration of Data Storage
Where necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract. In addition, we are subject to various retention and documentation obligations arising, among others, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention or documentation periods prescribed therein are up to 10 years beyond the end of the business relationship or pre-contractual legal relationship. Ultimately, the storage period is also determined by the statutory limitation periods, which, for example, under §§ 195 ff. of the German Civil Code (BGB), are generally three years but can be up to thirty years in certain cases.
Automated Decision-Making (Including Profiling)
We attend to you and your inquiry personally and generally do not use automated decision-making procedures and therefore no profiling pursuant to Article 22 GDPR.
Privacy Information for Applicants
By submitting your application, you disclose personal data. With this privacy information, we explain in detail how we process your data and what rights you have in connection with this data processing:
Processing Purposes and Legal Basis
Your personal data is processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and other relevant data protection regulations.
We process personal data about you for the purpose of your application for an employment relationship, insofar as this is necessary for the decision on establishing an employment relationship with us. The legal basis for the processing of your personal data in the application process is primarily Art. 6(1)(b) GDPR.
Furthermore, we may process personal data about you insofar as this is necessary to defend legal claims asserted against us from the application process. The legal basis is Art. 6(1)(f) GDPR, with the legitimate interest being, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).
If an employment relationship is established between you and us, we will further process the personal data already received from you for the purposes of the employment relationship, if this is necessary for the performance or termination of the employment relationship or for the exercise or fulfillment of rights and obligations arising from a law or collective agreement, works agreement, or service agreement of the employee representation.
Categories of Personal Data
We process data related to your application. This may include general personal data (such as names, address, and contact details), information about your professional qualifications and education, or information about professional development, or other information you provide to us in connection with your application. In addition, we may process publicly available, job-related information, such as a profile on professional social media networks.
Recipients of Personal Data
Your personal data will not be shared with third parties during the application process. If an employment contract is concluded, the transfer of data to third parties is unavoidable, e.g., to fulfill legal requirements (payment of wage tax, social contributions, etc.). A separate privacy information for employees will then be provided.
Transfer of Your Data to a Third Country or International Organization
Data processing outside the EU or EEA does not take place.
Duration of Data Storage
Deletion of your personal application data generally occurs automatically six months after the conclusion of the application process. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of evidence, or if you have expressly consented to longer storage.
If we are unable to offer you a currently available position but believe, based on your profile, that your application could be interesting for future job offers, we will store your personal application data for twelve months, provided you expressly consent to such storage and use.
Automated Decision-Making (Including Profiling)
We attend to you and your inquiries personally and generally do not use automated decision-making procedures and therefore no profiling pursuant to Article 22 GDPR.
Rights of Data Subjects (Here: Applicants)
The rights described at the beginning of the privacy information texts apply.
Currency of Privacy Information
To ensure that our privacy information in connection with the services of our website is always up to date, we use the WEBSITE SCAN of the GDPR Service. We also keep the other privacy information on our website up to date with this service.
We have concluded a data processing agreement pursuant to Art. 28 GDPR with the GDPR Service.