Data Privacy Statement

I. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States, as well as other data protection regulations, is:

Axactor Germany Holding GmbH
Am Paradeplatz 20
69126 Heidelberg
Germany

Tel.: +49(0)6221/987-60
email: info@axactor.de
Website: www.axactor.de

II. Name and address of the data protection officer

The data protection officer is:

Christine Bertram
Axactor Germany GmbH
Am Paradeplatz 20
69126 Heidelberg
Germany

Tel.: +49(0)6221/987-60
email: datenschutz@axactor.de

III. About data processing in general

1. Scope of the processing of personal data

In principle, we only process personal data of our users to the extent necessary for the provision of a functioning website and our content and services. The personal data of our users are generally only processed after the consent of the user has been obtained. An exception applies in those cases where practical reasons make it impossible for us to obtain prior consent, and statutory provisions allow the processing of the data.

2. Legal basis for the processing of personal data

Where we obtain the consent of the data subject for the processing of personal data, the legal basis for doing so is point (a) of Art. 6(1) of the General Data Protection Regulation (GDPR).

When the processing of personal data is required for the performance of a contract to which the data subject is party, point (b) of Art. 6(1) GDPR serves as the legal basis. This also applies for processing operations that are necessary in order to take steps prior to entering into a contract.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, point (c) of Art. 6(1) GDPR serves as the legal basis.

Where processing is necessary for the purposes of a legitimate interest pursued by us or a third party, and if your interests, basic rights or basic freedoms do not override the former interest, the legal basis for the processing is point (f) of Art. 6(1) GDPR.

3. Erasure of data and duration of storage

The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. They may be stored for longer if this has been provided for by European or national legislators in Union regulations, laws or other provisions to which the controller is subject. The data will also be erased or blocked when a time limit for storage specified by one of the above standards expires, unless it is necessary to continue storing the data in order to enter into or perform a contract.

4. Security

We have taken all necessary technical and organisational security measures to protect your personal data against loss and misuse. Our employees have been trained in security and data protection. During transmission your personal data will be encrypted by what is known as Secure Socket Layer (SSL) technology, i.e. communication will use a recognised encryption process, if your browser supports SSL.

IV. Provision of the website and creation of log files

1. Description and extent of the data processing

Every time our website is accessed, our system automatically records data and information from the computer system of the accessing computer. The following data will be collected:

• The user's IP address
• The date and time of access
• Browser name and version
• Name and version of the operating system

The data will also be stored in the log files of our system. These data will not be stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is point (f) of Art. 6(1) GDPR.

3. Purpose of data processing

The system has to store the IP address temporarily in order to enable the website to be delivered to the user's computer. This requires the user’s IP address to be stored for the duration of the session. Data are stored in log files in order to ensure the functionality of the website. The data also help us to prevent fraud, to secure evidence in the event of cyber attacks or attempted fraud, to optimise, to review the security standards, to rectify errors in the website and to ensure the security of our IT systems. The data will not be analysed for marketing purposes in this regard. These purposes also constitute a legitimate interest of ours in the processing of personal data in accordance with point (f) of Art. 6(1) GDPR.

4. Duration of storage

The data will be erased as soon as they are no longer required for the purposes for which they were collected. For the reasons set out under section 3, this is the case not later than after 12 months.

5. Right to object and right of removal

The recording of the data for the delivery of the website and the storage of the data in log files are absolutely essential for operation of the website. Users do not therefore have any right to object.

V. Use of cookies

Webpage:

Here you can find more information about our cookie policy.

Portals:

For our portals AXACTORweb and yourAXACTOR (both under https://portal.axactor.de) - hereinafter jointly referred to as "portals" - the following applies with regard to cookies:

Our portals use technical cookies. The legal basis for the processing of personal data using these cookies is Art. 6 para. 1 lit. f GDPR. The purpose of the use of technically necessary cookies is to simplify or enable the use for the users. The functions of the portals cannot be offered without the use of cookies. These require the browser to be recognized even after a page change. The user data collected through technically necessary cookies is not used to create user profiles. Cookies are stored on the user's computer and transmitted by the user to our site. Therefore you as a user have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies already stored can be deleted at any time. This can also be done automatically. However, if the cookies for our portals are deactivated, the functions of the portals can no longer be used.

VI. Use of contact forms

1. Description and extent of the data processing

Our website contains contact forms that you can use for the purposes of making contact electronically. If you take advantage of this option, the data you enter on the input screen will be sent to and stored by us. These data are the following:

• File reference
• Surname
• Forename
• Date of birth
• Street (current and previous, if applicable)
• House number (current and previous, if applicable)
• Postcode (current and previous, if applicable)
• Place (current and previous, if applicable)
• Country (current and previous, if applicable)
• Desired call-back time
• Matter
• Date of first payment, if applicable
• Instalment, if applicable
• IBAN, if applicable
• Password, if applicable

Other voluntary data may be:

• Private telephone number
• Mobile number
• Work telephone number
• Email address
• Account-holder (if different)
• BIC

2. Legal basis and purposes for data processing

We process the personal data from the input screens in order to deal with your inquiry.

Other purposes and legal bases may be:

• Debt management pursuant to point (b) of Art. 6(1) GDPR for the enforcement of a claim to performance, pursuant to point (f) of Art.6(1) GDPR on the basis of the economic interest of the creditor in the recovery of the debt and where appropriate on the basis of consent pursuant to point (a) of Art.6(1) GDPR in conjunction with Art. 7 GDPR
• Prosecution pursuant to point (b) of Art.6(1) GDPR
• Defence against claims pursuant to point (b) of Art.6(1) GDPR and pursuant to point (f) of Art.6(1) GDPR
• The legal obligations pursuant to point (c) of Art.6(1) GDPR, inter alia on account of the statutory duties of retention pursuant to section 147(3) first sentence of the German Fiscal Code (AO), the German Money Laundering Act, the duties of information pursuant to section 11a RDG and as evidence of proper data processing
• Where appropriate, protection of lenders against defaults in payment (recording in a credit agency) pursuant to point (f) of Art. 6(1) GDPR
• Reporting to the client pursuant to point (f) of Art. 6(1) GDPR

3. Duration of storage, right to object and right of removal

From the end of the calendar year following the conclusion of the last proceedings against you as the debtor, the data will be stored for a further 3 years for the purposes of enabling a defence against claims, compliance with rights of information or evidence of proper data processing. The data will then be archived in a sealed area for a further 10 years in accordance with statutory duties of retention. The data will be erased when the statutory duties of retention no longer apply.

4. Obligation/duty to provide

You are not under any obligation to provide the voluntary data set out under a) above. Depending on the form, the other data set out under a) are required in order to identify you and deal with your inquiry.

VII. Information for interested parties pursuant to Art. 13, 14 GDPR

1. Legal bases and purposes of data processing

• Internal administrative purposes (communication with existing contract partners / interested parties / partners pursuant to point (f) of Art. 6(1) GDPR: Legitimate interests of a third party or own legitimate interest
• Advertising/direct marketing pursuant to point (f) of Art. 6(1) DSGVO: Legitimate interests of a third party or own legitimate interest and where appropriate consent pursuant to point (a) of Art. 6(1) GDPR in conjunction with Art. 7 GDPR

2. Categories of personal data to be processed
(pursuant to point (d) of Art. 14(1) GDPR)

• Personal details

• Address details

• Contact details

• Company details

3. Recipients/categories of recipients of personal data
(pursuant to point (e) of Art. 13(1) and point (e) of Art. 14(1) GDPR)

• Service providers (e.g. providers of printing services, IT services)

• Affiliated companies

4. Transfer to a third country
(pursuant to point (f) of Art.13(1) and point (f) of Art. 14(1) GDPR)

Transfer to a third country is not envisaged.

5. Duration of storage
(pursuant to point (a) of Art.13(2) and point (a) of Art. 14(2) GDPR)

Data will be erased five years after the end of the calendar year of the last contact.

6. Obligation or duty to provide
(pursuant to point (e) of Art. 13(2) GDPR)

The data subject is not obliged to provide the data.

7. Sources of the personal data
(pursuant to point (f) of Art. 14(2) GDPR)

Data subject, client, service provider, affiliated companies, public register, associations

VIII. Rights of the data subject

If your personal data are processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:

1. Right of access

You can demand confirmation from the controller of whether we process personal data concerning you.

Where such processing takes place, you can demand details from the controller concerning the following information:

(1) the purposes for which the personal data are being processed;

(2) the categories of personal data being processed;

(3) the recipients or the categories of recipients to whom the personal data concerning you were disclosed or are being disclosed;

(4) the planned duration of storage of the personal data concerning you or, if concrete details of this are not possible,
criteria for determining the storage period;

(5) the existence of a right to rectification of the personal data concerning you, of a right to restriction of processing by the controller or of a right of objection to this processing;

(6) the existence of a right of complaint to a supervisory authority;

(7) all available information about the origins of the data, if the personal data were not collected from the person concerned.

You also have the right to demand information on whether the personal data concerning you are transferred to a third country or an international organisation. In this regard you can demand to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in relation to the transfer.

2. Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are incorrect or incomplete. The controller must bring about the rectification without undue delay.

3. Right to restriction of processing

Under the conditions set out below, you can demand that the processing of the personal data concerning you be restricted:

(1) if you dispute the accuracy of the personal data concerning you, for a period of time that enables the controller to verify the accuracy of the personal data;

(2) if the processing is unlawful and you refuse the erasure of the personal data and instead request the restriction of use of your personal data;

(3) if the controller no longer needs the personal data for the purposes of the processing, but you require this for the establishment, exercise or defence of legal claims; or

(4) if you have lodged an objection to the processing pursuant to Art. 21(1) GDPR pending verification of whether the legitimate grounds for the controller override your grounds.

If the processing of the personal data concerning you were restricted, these data may – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing were restricted in accordance with the above requirements, you will be informed by the controller before the restriction is lifted.

4. Right to be informed

If you have exercised your right to have the controller rectify the personal data concerning you or restrict their processing, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have a right vis-à-vis the controller to be informed of these recipients.

5. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on points (e) or (f) of Art. 6(1) GDPR, including profiling based on those provisions.

The controller will no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

6. Right to withdraw consent given under data protection regulations

You have the right at any time to withdraw consent given under data protection regulations. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to the withdrawal.

7. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint was lodged will inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR. The address of the supervisory authority for our company is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstr. 20, 70173 Stuttgart, telephone: +49(0)711/615541-0, poststelle@lfdi.bwl.de.