Declaration of data protection according to
EU General Data Protection Regulation (as of May 2018)
Introduction
The EU General Data Protection Regulation (GDPR) enters into force on 25 May 2018. It is designed to harmonize data privacy laws across Europe. The objectives of this regulation are the safeguarding of fundamental rights and freedoms of individuals, and in particular, their right to the protection of personal data and the free flow of personal data.
These mentioned objectives are envisaged to be achieved by the guidelines stipulated in Article 5 of the EU General Data Protection Regulation (GDPR) with regard to the processing of personal data; guidelines such as: legality, good faith, transparency, earmarking, data minimisation, correctness, memory limitation, integrity and confidentiality, accountability.
The following information is intended to give you an overview on the processing of personal data by Watermill Global GmbH as well as on your rights according to data protection law.
The members of the management of Watermill Global GmbH have always attached very high importance to the protection of personal data.
The selection of data processed in particular, and how they are handled, is subject to agreed contracts and service agreements.
To whom should you apply at Watermill Global GmbH for questions regarding data protection law?
Watermill Global GmbH
Data Protection Officer
10719 Berlin, Germany
Kurfürstendamm 234
Phone: +49 30 224 10737
Email: datenschutzbeauftragter@watermillglobal.de
1. Which sources and what kind of data do we use?
We process personal data relating to our mutual business relationship such as:
name and address of a contact person, further contact details like phone number,
email-address. Moreover, we process as well personal data rightfully received from publicly accessible sources (e.g. internet, print media, communication media, commercial register) such as name, address, contact details like phone number and email-address, date and place of birth, gender, nationality, lan- guage, identification data.
In the course of our business relationship, particularly through close, personal contacts
(by phone, writing or meetings) further personal data are collected (e.g. contact channel, date of contact, motive and result of the contact, (electronic) copies of the correspondence, as well as information about the participation in different meetings/events).
2. On what legal basis and why do we use personal data (purpose of processing)?
The above-mentioned personal data are processed according to the EU General Data Protection Regulation as well as to the Federal Data Protection Act (Germany) for the following purposes:
Fulfilment of contractual obligations (Art. 6(1b) GDPR)
The process of personal data is used for the purpose of implementing pre-contractual measures as well as required measures and necessary activities for our business, subject to the specific contractual relationship.
If you are interested in more detailed information on the purpose of our processing of personal data, please don’t hesitate to contact our Data Protection Officer.
Balancing of interests (Art, 6(1f) GDPR)
Above and beyond the mere fulfilment of the contract, we process, where required, your personal data in order to protect legitimate interests of Watermill Global GmbH as well as of third parties.
Examples:
• Establishment, exercise or defence of legal claims
• Guarantee of the IT security and IT operations of Watermill Global GmbH
• Basis for corporate control and improvements in services and working processes
• Risk management and compliance within the Watermill Global GmbH
On the basis of your consent (Art. 6(1f) GDPR)
Having received your consent to process your personal data for defined purposes (e.g. disclosure of data to the Watermill Global GmbH respectively to external service providers), the processing operation therefore complies with the requirement of lawfulness.
As a matter of course, you may withdraw such consent with effect for the future at any time. Please keep in mind that the revocation will then be valid only for the future.
This will also apply for declaration of consent issued before 25 May 2018. You can also request an overview on your given consent to Watermill Global GmbH.
On account of legal requirements (Art. 6(1c) GDPR) or for public interest (Art. 6(1e) GDPR)
As a manufacturing and trading company, we are subject to different legal obligation. We have to meet legal requirements with regard for instance to the Securities Trading Act, tax laws and other guidelines (e.g. compliance demands). The purpose of data processing also includes
the fulfilment of customs and tax control and reporting obligations as well as taking a responsible approach to Watermill Global GmbH’s risk management.
3. Who has access to personal data?
Access to your personal data at Watermill Global GmbH is only authorized to those who need these data to fulfil contractual and legal obligations. This includes also assigned service providers for handling issues in the required scope as long as they maintain due confidentiality and accept our data protection directives.
In the context of transferring personal data to third parties, it is important to note that the knowledge gained by Watermill Global GmbH on all employee-related facts and assessments is to be kept confidential by law.
The disclosure of information about you is subject to statutory provisions and to your consent. Third parties have to respect the EU General Data Protection Regulation as well as the Federal Data Protection Act (Germany).
In light of the above, the following categories of companies may have access to your personal data:
• Public authorities and institutions
• Financial service sector / financial institutions
• External service providers to fulfil contractual obligations such as
document processing, order processing, logistical services, telephony, email communication, website management, marketing services, procurement, processing of payment transactions, debt collection services, master data management, mandatory registration, storage, controlling, auditing services, data destruction
• You may have issued the consent for data transfer for further data recipient respectively released us accordingly from data secrecy.
4. Will personal data be transferred to a third country or to an international organisation?
It is not foreseen to transfer personal data to countries beyond the European Union respectively to non-member countries.
In case third country’s service providers should be engaged in the future, they will be obliged to the EU Standard Contractual Clauses regarding the level of data protection within Europe.
5. How long will your data be stored?
We process and store your personal data as long as we need them to fulfil our contractual and legal obligations.
We will erase your personal data on a regular basis when they are no longer required to fulfil
contractual and legal obligations unless the temporary processing is required for the following purposes:
• The observance of the retention periods to commercial or tax law according to the code of commercial law, the General Fiscal Law, Securities Trading Act as well as the Stock Corporation Act. The herewith applied deadlines for storage and documentation are two to ten years.
• The safeguarding of pieces of evidence within the scope of the statute of limitation:
As to paragraph 195 onwards of the German Civil Code, these statutes of limitations could be up to 30 years, whereby the regular statutory limitation period is three years.
6. What kind of data protection laws are available?
Any person concerned has the right to be informed (Articles 15), the right of rectification (Article 16 GDPR), the right to erasure (Article 17 GDPR), the right to restriction of data processing (Article 18 GDPR), the right to object (Article 21 GDPR) as well as the right of data portability (Article 20 GDPR).
In light of the right to information and the right of deletion, restrictions are applied according to paragraphs 34 and 35 of the Federal Data Protection Act.
Furthermore, you have the right to appeal to the data protection supervisory authority as provided in Article 77 GDPR similar to paragraph 19 of the Federal Data Protection Act.
7. Is there an obligation to provide personal data?
In the course of our business partnership respectively our contractual relationship, you have to provide personal data for establishing and implementing a business relationship respectively for fulfilling our contractual obligations as well as for collecting according to legal obligations.
8. To what extent is there an automated decision-making, including profiling?
As a general principle, Watermill Global GmbH apply no fully automated decision-making pursuant to Article 22 GDPR for the performance or entering into a contract. Should this procedure be used in individual cases, we will inform you accordingly if it is required to do so by law.
9. Takes profiling place?
Watermill Global GmbH is processing your personal data partially automated but without the aim to evaluate specific personal aspects (profiling). We are obliged to carry out inspections based on statutory requirements such as export controls regarding customs provisions or other official regulations e.g. in the scope of Known Shipper for safe air freight and for the sanctioned-party list screening. These measures are provided as well for your protection.
Information on your right to object (Article 21 GDPR)
Individual right of objection
You have the right at all time to file an objection against the processing of your personal data pursuant to Article 6(1e) GDPR concerning data processing for public interest. This shall also apply for profiling pursuant to Article 4(4) GDPR.
In case you file an objection, your personal data shall not be processed any longer unless we can either prove compelling legitimate interests which override your interests and the fundamental rights and freedoms; or the data processing is required for the assertion, exercise or defence of legal claims.
For further information or arising questions, please do not hesitate to contact our Data Protection Officer.