Data protection declaration pursuant to the EU General Data Protection Regulation (GDPR)

Applicable for customers, interested parties, suppliers, as well as sales and cooperation partners of the TerraLoupe GmbH (hereinafter referred to as “TerraLoupe”).
With the following information pursuant to Art. 12 et seq., GDPR we will provide an overview of the processing of your personal data by us and your rights from the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). The requested or commissioned products and services shall be decisive for the data to be processed in detail and the manner these are used.

1. Person responsible for data processing
TerraLoupe GmbH
Karl-Theodor-Straße 55
80803 München
Telephone +49 (0) 89 / 55 06 0959

2. Data protection officer of the controller
Martin Fix
Karl-Theodor-Straße 55
80803 München
Telefon +49 89 55060959

3. Data and data sources

a) Sources
We process personal data provided by you in line with our business relationship. Moreover, we process (as far as required for the provision of our products and rendering our service) personal data obtained by third parties (e. g. for the performance of contracts, the execution of contracts or due to the consent granted by you). On the other hand we process personal data we have permissibly gained from publicly accessible sources (e.g. trade and association register, press, media, Internet) and which may be processed.

b) Categories of personal data
When initiating a business relationship or when master data are created the following personal data can be collected, processed or saved:
Address and communication data (name, address, telephone, e-mail address, other contact data), person master data (date/place of birth, gender, nationality, marital status, legal capacity, professional group code, legitimation data (e. g. card data), authentication data (e. g. specimen signature), tax ID)

When products and services are utilized in line with the contracts concluded with us, the following further personal data can be primarily collected, processed and saved in addition to the aforementioned data:
Contract master data (order data, data from the compliance with our contractual obligations, information about potential third-party beneficiaries), account, performance and payment data (debit data, tax information further person master data (profession, employer), documentation data (e. g. logs), product data (e. g. requested or booked services and products), as well as the following business creditworthiness documents: Net income accounts, balance sheets, business assessment, type and term of self-employment.

c) Customer contact information
In the context of the period of initiating a business relationship and during the business relationship, in particular by personal, telephone or written contacts initiated by you or the TerraLoupe further personal data are created. This includes e.g. information on the contact channel, date, occasion and result (electronic) copies of the correspondence, as well as information on the participation in direct marketing activities.

d) Services of the information society
When data is processed in line with services of the information society, you will obtain further data protection information related to the respective service.

4. Purpose and legal basis of processing
We process the personal data mentioned in 3 in compliance with the regulations of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

a) For compliance with contractual obligations (Article 6 (1) lit. b GDPR)
The processing of personal data is made for justification, performance and termination of a contract for the provision of products or the rendering of services, as well as for the performance of pre-contractual activities for the preparation of quotations, contracts or other requests directed at the conclusion of the contract which are made on the basis of your request.
The purposes of data processing are first of all based on the specific products and services and can comprise needs analyses, consulting and support etc. Further details of the purpose of data processing can be gathered from the respective (also pre-contractual) contract documents of our cooperation.
Interested parties may be contacted under consideration of potentially stated limitations during the initiation of the contract and customers, suppliers, as well as cooperation partners during the business relationship using the data they have communicated.

b) Due to your consent (Article 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR)
Provided that you have given us your consent to process personal data for certain purposes, the processing shall be legitimate on the basis of your consent. A given consent may be revoked at all times. This shall also be applicable for the cancellation of declarations of consent that were given vis-à-vis us prior to the validity of the EU General Data Protection Regulation, this means prior to 25 May 2018. Please note that the cancellation will only be valid for the future. Processing made before the cancellation shall not be affected. You may request an overview of the status of the contents you have given at all times.

c) Due to statutory requirements (Article 6 (1) lit. c GDPR or for the public benefit (Article 6 (1) lit. e GDPR)
We are subject to various legal obligations, as well as legal requirements and process data for the following purposes among others: Identity check and age verification, the compliance with fiscal control and reporting obligations, as well as the assessment and control of risks within the corporate group.

d) In line with the balancing of interests (Article 6 (1) lit. f GDPR)
To protect justified interests of us or a third party the processing of data submitted by you can be required for the following reasons:

• Review and optimization of processes for needs analysis and direct customer contact; incl. segmentations and calculation of probability of closure
• Advertising or market and opinion research, provided that you have not objected to the utilization of your data
• Assertion of legal claims, defense in the event of legal disputes, defense against liability claims
• Safeguarding IT security and IT operations
• Consultation of and data exchange with credit agencies for ascertaining credit risks
• Prevention of crimes
• Video surveillance for preserving the domiciliary right, collecting evidence in the event of crimes
• Building and office security precautions
• Measures for assuring the domiciliary right
• Business management and development of services and products measures
• Risk control within the corporate group

5. Recipients of data
Within the TerraLoupe those entities shall be granted access to your data which are required to comply with our contractual and legal obligations. Service providers employed by us can receive data for these purposes, if they comply with our written data protection directions.

With regard to the disclosure of data to recipients not belonging to the TerraLoupe it has to be observed first of all that we are obliged to keep all customer-related information we become aware of confidential. We shall only be entitled to disclose information about you if this is permitted by statutory stipulations, you have consented and/or processors commissioned by us guarantee similarly the requirements of the EU General Data Protection Regulation and the Federal Data Protection Act.
Under those conditions the recipients of personal data may for instance be:

• Public bodies and institutions in the circumstances of a statutory or official obligation.
• Processors to which we submit personal data for the execution of the business relationship. In detail: Support/maintenance of EDP/IT applications, customer management, letter shops, marketing, telephony, website management, auditing service, transactions, IT security.

Further data recipients may be those entities for which you have given the consent to data transfer.

6. Data transfer to third countries or international organizations
Data transfer to countries outside the EU or EEA (so-called non-member countries) shall only take place if it is required for the performance of your orders, statutory (e.g. fiscal reporting requirements), you have given us your consent or it is done in line with order processing. If service providers are employed in a non-member state, these shall be obliged to the compliance with the data protection level in Europe in addition to written instructions by the agreement of EU standard contractual clauses.

7. Term of data storage
We will process and save your personal data as long as required for the performance of our contractual and legal obligations. If the data are not required anymore for the performance of contractual or legal obligations, they will be deleted at regular intervals, unless their (limited) processing is necessary for the following purposes:

• Compliance with commercial and fiscal retention periods pursuant to Section 257 Commercial Code (HGB) and Tax Code with periods for storage or documentation of two to ten years laid down there.
• Receipt of evidence in the context of the statute of limitations. Pursuant to Sections 195 et seq. of the Civil Code (BGB) these limitation periods can be up to thirty (30) years, whereas the regular limitation period is three years.

8. Data protection rights of the data subject
Every data subject shall have a right of access by the data subject pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure (“Right to be forgotten”) pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to data portability from Article 10 GDPR, as well as the right to object from Article 21 GDPR. For the right to erasure and right of access the limitations pursuant to Articles 34 and 35 GDPR shall be applicable. Moreover, there is the right to lodge a complaint with a supervisory authority pursuant to Art. 13(2) lit. d GDPR and Article 77 GDPR combined with Section 19 BDSG (Federal Data Protection Act).
You may revoke the consent to the processing of personal data pursuant to Art 7 (3) GDPR at any time. This shall also be applicable for the cancellation of declarations of consent that were given vis-à-vis us prior to the validity of the EU General Data Protection Regulation, this means prior to 25 May 2018. The cancellation of the consent shall not affect the legitimacy of the processing made on the basis of the consent until the cancellation.

9. Obligation to provide data
In the context of our business relationship you must provide the personal data that is required for entering into and carrying out a business relationship and the compliance with the contractual obligations related to it or the collection to which we are legally bound. Without these data it is expected that we will normally be obliged to object to the conclusion of the contract, the provision of products and the rendering of services or to no longer carry out an existing contract or terminate the same.

10. Automated decision-making (including profiling)
As a general rule, we do not use fully automated decision-making (including profiling) for entering into and the performance of the business relationship pursuant to Article 22 GDPR. Should we use these processes on a case-by-case basis, we will inform you separately, provided that is stipulated by law.