Mandatory Information to be Provided Pursuant
to Art. 12 et seq. EU GDPR
I. Name and contact information of the data controller
Your contact, who is the data controller as defined in the European General Data Protection Regulation (“EU GDPR”) and in other domestic data privacy legislation of the member states or any other data privacy law related provisions is:
GEFO Gesellschaft für Oeltransporte mbH
Raboisen 5
20095 Hamburg
(hereinafter referred to as “we,” “us” or “our”).
II. Contact information of the data protection officer
The protection of your personal data is important to us. To underscore this importance, we have commissioned a consulting firm specializing in data protection and security to handle these central matters. Our data protection officer is a member of this highly experienced group of experts.
Our consulting firm is:
MAGELLAN Compliance GmbH, Raiffeisenallee 9, 82041 Oberhaching, Germany / www.magellan-datenschutz.de
If you have any data protection and data security related questions associated with our company, please contact our data protection officer directly. Email: datenschutz_gefo@magellan-compliance.de / phone: +49 (0)40 301 05 0
III. General data processing information
1. Scope
Principally, we will only process your personal data if this is necessary in order for us to provide you with a functional version of our website and of our content as well as services.
2. Legal basis
If we have obtained your consent to the processing of your personal data, the legal basis for such processing is Art. 6 Sect. 1 S. 1 lit. a) EU GDPR.
If we process your personal data with the aim of meeting contractual mandates or in conjunction with the negotiation of a contractual relationship, the legal basis for the processing of such data is Art. 6 Sect. 1 S. 1 lit. b) EU GDPR.
If the processing of personal data is necessary in order for us to meet any legal obligations, the legal basis for the processing of such data is Art. 6 Sect. 1 S. 1 lit. c) EU GDPR.
If we process your personal data to protect our or any third party’s legitimate interests, provided your interests or fundamental rights and freedoms do not outweigh the preceding interests, the legal basis for the processing of such data is Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
3. Retention period
Your personal data shall be deleted as soon as the purpose of its retention no longer exists or, if you have a right to object to the processing, you have withdrawn your consent. It is possible that your data will be stored longer if this has been defined in the respective European or domestic legislation, in Union-law provisions, acts or any other provisions we are subject to. In these cases, your personal data shall, however, be blocked.
4. External links
If we provide links to external websites, this Privacy Policy shall not apply to the processing of your personal data by the data controller of the linked website. Hence, we recommend that you review the data privacy policies on external websites you visit. If such a linkage should require a legal basis for the resulting processing of your personal data, it shall be your consent pursuant to Art. 6 Sect. 1 S. 1 lit. a) EU GDPR, which you shall grant by clicking on the respective link.
As a rule, the clicking on any such links (hyperlinks) will result in the processing of your following personal data:
- IP address,
- Screen resolution,
- Deployed browser,
- Bandwidth,
- Language settings.
IV. Data processing on our website
1. Website functions
a. Provision of the website and generation of logfiles
(1) Description and scope
In conjunction with offering our website we will process your personal data to ensure the error free presentation of our website on your PC or mobile device. Because of that, we have to store some of your personal data for the duration of the session.
Furthermore, we will store your personal data temporarily in logfiles, to guarantee that our website will work properly and the operation of our IT systems is secure. Any other processing of your personal data in logfiles will not occur.
The following personal data will be processed for the provision of the website and for the generation of logfiles:
- IP address,
- Access date,
- Access time,
- If applicable, previously visited website,
- Used browser,
- Used operating system.
(2) Legal basis
Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
(3) Purpose
The purpose of this data processing is to provide the website, ensure its functionality, and the security of the IT systems used for this.
The purpose simultaneously establishes our legitimate interest.
(4) Retention period
Your personal data will be stored in logfiles for the duration of 7 days. Moreover, your personal data will be stored in conjunction with the provision of the website, but only for the duration of the session.
(5) Objection and removal option
The processing and storage of your personal data in logfiles is absolutely mandatory for the provision of the website, to guarantee its functionality and to guarantee the security of the utilized IT systems. Consequently, you do not have an option to object.
b. Technically necessary cookies
(1) Description and scope
When it comes to technically necessary cookies, we will process your personal data since many functions and services of our website that facilitate the use of the website for you or that are essential to make its use even possible will not work properly in the absence of using cookies (“technically necessary cookies”).
In these technically necessary cookies, we store, in some cases, personal data of yours that will, however, only be used to use these functions and services. Any other processing of your personal data shall not occur.
A list of the technically necessary cookies we use, as well as their purpose, retention period and other information is available in our cookie banner.
The following personal data will be processed in conjunction with the use of technically necessary cookies:
- IP address,
- Language settings of your browser,
- The browser you use,
- Shopping cart information.
(2) Legal basis
Legitimate interest, § 25 Sect. 2 TDDDG in combination with Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
(3) Purpose
The purpose of this data processing is the provision of the website functions and services.
The purpose simultaneously establishes our legitimate interest.
(4) Retention period
As a rule, for the duration of the respective session, unless otherwise specified in the list of the technically necessary cookies we use.
(5) Objection and removal option
Technically necessary cookies will be stored on your PC or mobile device and will be sent by the former to our website. Hence, you are in complete control over the use of technically necessary cookies.
You have the option to deactivate or restrict the transmission of cookies by changing your browser settings. Cookies that have already been stored can be deleted by you at any time. This may also be done automatically. If cookies for our website are deactivated, you may no longer be able to fully use the functions of our website.
c. Cookies that are not technically necessary
If cookies that are not technically necessary should be used in conjunction with the use of our functions and services on our website, you will find a list of these cookies, their purpose, retention period and other information in our cookie banner.
d. Google Maps
(1) Description and Scope
For the display of maps, we have integrated Google Maps into our website. As a result, we are in a position to show content we would like to present for your use in an attractive, uniform and device independent manner on our website Google Maps is service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
In conjunction with the integration of Google Maps, the following personal data will be processed:
- IP address,
- Screen resolution,
- Language settings,
- Location data.
When you use the Google Maps service, additional personal information may be processed. The respective information is available at:
https://policies.google.com/privacy?hl=de#whycollect
(2) Legal basis
Consent, Art. 6 Sect. 1 S. 1 lit. a) EU GDPR.
(3) Purpose
The purpose of processing your data is the display of map content.
(4) Retention period
We will process your personal data only until you complete your visit to our website (expanded data protection mode). We do not have any control over the deletion of your personal data from by Google Maps. More information is available at:
https://policies.google.com/privacy?hl=de&gl=de#inforetaining
(5) Objection and removal option
You have the option to revoke your consent at any time. You can exercise this revocation option in particular by closing the application and/or by reloading the website.
We do not have any control over the deletion of your personal data from Google Maps. For more information please visit:
https://policies.google.com/privacy?hl=de-DE
2. Contact us
a. Contact form and email contact
(1) Description and scope
The following personal data will be processed along with the contact form and any interactions via email:
- First name;
- Last name;
- Company;
- Email address;
- Phone number;
- Department;
- Content of the message,
(2) Legal basis
Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
(3) Purpose
The data processing purpose is the processing of your inquiry.
(4) Retention period
Your personal data will be stored until the respective purpose no longer exists. As a rule, this will happen as soon as your inquiry is processed, unless longer retention periods are in effect.
(5) Objection and removal option
You may object to the processing of your personal data in conjunction with the initiation of contacts at any time, which will affect any future transactions. However, in this case, we will not be able to continue to process your inquiry. All personal data that has been stored over the course of the initiation of contact will be deleted in this instance, unless the statutory retention periods are in conflict with the deletion of your data. In this case, your personal data will be blocked until the statutory retention periods have expired.
3. Marketing
a. Web analysis by Google Analytics
(1) Description and scope
In the web analysis context, we use the Google Analytics platform to collect indices on our website, and also analyze your browsing patterns.
If you access individual pages of our website, the following data will be archived:
- IP address;
- Browser you used;
- Operating system you used;
- Screen resolution;
- Mouse and keyboard usage patterns.
(2) Legal basis
Consent, § 25 Sect. 1 TDDTDSG in combination with Art. 6 Sect. 1 S. 1 lit. a) EU GDPR.
(3) Purpose
The data processing purpose is the analysis of your browsing patterns. The analysis of the generated data allows us to compile information concerning the use of the individual components of our website. This enables us to constantly improve our website and the user-friendliness of its functions.
(4) Retention period
A concise list of the retention period of any and all “tracking cookies” that we use is available in our cookie banner.
(5) Objection and removal option
You have the option to revoke your declaration of consent to the processing of your personal data in conjunction with the use of Google Analytics at any time, which will affect all future transactions. Please proceed as explained below:
i. Changing of the consent settings on our website
On our website, we offer you the option to simply revoke the consent to the processing of your personal data in conjunction with the use of Google Analytics.
To do this, simply click on the “Cookie Settings” tab in the footer.
ii. Changing your browser settings
As an alternative, you can deactivate or restrict the transmission of cookies in general by changing your browser settings. You may also delete any already archived cookies at any time. This may also be done automatically. If this also results in the deactivation of technically necessary cookies to be used on our website, you may no longer have full access to all of the functions of our website.
iii. Browser add-on
If you want to prevent the processing of your personal data by Google Analytics, you also have the option to install the browser add-on to deactivate Google Analytics. This add-on tells the JavaScript of Google Analytics (ga.js, analytics.js and dc.js) not to allow the transmission of information to Google Analytics.
If you want to deactivate Google Analytics, please access the page identified below and install the add-on to deactivate Google Analytics for your browser. Detailed information concerning the installation and deinstallation of the add-on can be found in the relevant help resources for your browser.
Browser and operating system updates may cause the deactivation add-on to no longer work as intended. For more information concerning the administration of add-ons for Chrome can be found on the pages specified below. If you do not use Chrome, please obtain the respective information directly from the manufacturer of your browser to determine whether the add-ons in the browser version you are using work properly.
The latest versions of Internet Explorer will occasionally load the add-on required for the deactivation of Google Analytics after personal data has already been transmitted to Google Analytics. If you are using Internet Explorer, this will result in the installation of cookies on your computer by the add-on. These cookies ensure that any and all recorded data is deleted immediately by the server that has recorded the data. Please make sure that the third-party provider cookies are not deactivated for use with Internet Explorer. If you delete your cookies, these cookies will be promptly removed by the add-on to ensure that your Google Analytics browser add-on continues to work without any limitations.
The browser add-on used to deactivate Google Analytics will not prevent personal data from being transmitted to the website or other tracking services.
More information on the terms and conditions of use as well as data privacy is available at:
http://www.google.com/analytics/terms/de.html or at
https://support.google.com/analytics/answer/6004245?hl=de.
Moreover, the IP anonymization has been activated on our website.
4. Data protection and the law
a. Exercising of the rights you have as a data subject pursuant to Art. 12 et seq. EU GDPR
(1) Description and scope
In conjunction with the management of the rights of data subjects, we will process your personal data. To that end, we will process any contact information you have shared in this context only to process and respond to your message and to subsequently document that the processing was in compliance with the applicable laws within the scope of our accountability obligations.
The following personal data will be processed in conjunction with the management of data subject rights:
- First name,
- Last name,
- Postal address,
- Email address,
- Phone number.
(2) Legal basis
Legal obligation, Art. 6 Sect. 1 S. 1 lit. c) in combination with Art. 12 et seq. EU GDPR.
Legitimate interest in the subsequent documentation, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
(3) Purpose
Managing your data subject rights in compliance with the law.
(4) Retention period
Data must be archived for 3 years after the processing of the respective transaction has concluded, § 41 BDSG in combination with § 31 Sect. 2 Nr. 1 OWIG.
(5) Objection and removal option
You have the option to object to the processing of your personal data in conjunction with the management of your data subject rights, which will affect all future transactions. However, in this case we will not be able to further manage your data subject rights.
The documentation of the compliant handling of your rights as the data subject is mandatory. Consequently, you do not have the option to object.
b. Legal defense and enforcement of the law
(1) Description and scope
Your personal data will be processed by us if you file legal claims targeting us or if we file claims and enforce rights targeting you.
(2) Legal basis
Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
(3) Purpose
The data processing purpose is to raise a defense against illegitimate claims and the legal enforcement of claims and rights.
This also constitutes our legitimate interest.
(4) Retention period
Your personal data will be stored until the processing purpose no longer exists. As a rule, this will be the case once the respective ruling becomes legally effective.
(5) Objection and removal option
The processing of your personal data within the scope of the legal defense and enforcement of the law is mandatory for us to ensure that we raise a legal defense or can enforce the applicable laws. Hence, you do not have any option to object.
V. Other Data Processing Activities Outside of Our Website
1. LinkedIn Page
a. Description and scope
We will process your personal data in conjunction with the operation of our LinkedIn Page to reach out to and interact with users and visitors of the social network “LinkedIn”. We will also publish information about our company on this channel.
In the event that you directly interact with our LinkedIn Page (e.g., by sending us a message) we will process the data you have shared with us only for the recording and the submission of a response to your enquiries.
Moreover, we can generate statistics on LinkedIn Page visits. This information is compiled by LinkedIn (“Page Insights”) and enables us to approach the marketing of our activities more effectively and in a more targeted manner.
For LinkedIn Page Insights data, we and LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, are jointly responsible for the processing of data. For this purpose, we have executed a contract with LinkedIn Ireland Unlimited Company to define which of the two companies will process which obligations pursuant to the EU GDPR.
The most significant content of this contract can be reviewed at:
https://legal.linkedin.com/pages-joint-controller-addendum
Information on the data LinkedIn uses to conduct usage analyses related to our LinkedIn Page and which information LinkedIn provides for the purpose of data processing linked to the Page Insights function is available here:
https://www.linkedin.com/help/linkedin/answer/a547077/linkedin-page-analytics-overview?lang=de
For more information on the processing of your personal data by LinkedIn Ireland Unlimited Company, please visit:
https://de.linkedin.com/legal/privacy-policy
b. Legal basis
Legitimate interest, Art. 6 Sect. 1 S. 1 lit. f) EU GDPR.
c. Purpose
The data processing purpose is the analysis of our achievements with our LinkedIn Page as well as the organization of our LinkedIn Page with the aim of matching your interests and processing inquiries.
d. Retention period
Information about the retention period of your personal data with LinkedIn Ireland Unlimited Company is available at:
https://www.linkedin.com/legal/privacy-policy
e. Objection and removal option
If you do not want your personal data to be collected in conjunction with the operation of our LinkedIn Page, you have the option to object at any time to the processing of your personal data within the scope of the operation of our LinkedIn Page, which will subsequently apply to all future operations. In this case, we will forward your revocation request to LinkedIn Ireland Unlimited.
Information concerning the processing of your personal data by LinkedIn can be reviewed at:
https://de.linkedin.com/legal/privacy-policy
VI. Categories of Recipients
Within our company, we will share your personal data with those positions and departments that need them for all the above-mentioned purposes. In addition, we will, in some cases, use the services of different providers and will share your personal data with these other trustworthy recipients. These may, for instance, include the following:
- Printing companies,
- Lettershops,
- Scanning services,
- Banking institutions,
- IT service providers,
- Cooperation partners,
- Lawyers, tax advisors, and courts.
VII. Transfer to Non-EU and Non-EEA Countries
In conjunction with the processing of your personal data, it is possible that we share your personal data with trustworthy service providers in non-EU and non-EEA countries. These countries are nations that are not within the European Union (EU) or the European Economic Area (EEA).
In this context, we cooperate only with such service providers who are in a position to give us qualified guarantees aiming at the protection of your personal data and who are in a position to warrant that your personal data will be processed in compliance with the stringent European Data Protection Standards. A copy of these qualified guarantees may be reviewed at our business.
If we share any personal data with recipients in non-EU and non-EEA countries, this will be done on the basis of a so-called adequacy decision of the European Commission, or, if such a decision is not available, on the basis of so-called standard contractual clauses, which also have been passed by the European Commission.
VIII. Your Rights
You are entitled to the following rights you may exercise in your relationship with us:
1. Right of access
You have the right to receive information as to whether and which personal data of yours we process. In this case, we will provide additional information on:
(1) The processing purpose,
(2) The categories of data,
(3) The recipients of your personal data,
(4) The envisaged retention period or the criteria to determine the envisaged retention period,
(5) Your additional rights,
(6) In the event that you have not shared your personal data with us: All available information as to its origins,
(7) If available: The existence of any automated decision making as well as information on the logic used, the expanse and the desired effects of the processing.
2. Right to rectification
You are entitled to have your data corrected and/or completed if the personal data processed by us is incorrect or incomplete.
3. Right to restriction of processing
You are entitled to the restriction of the processing of your data if:
(1) We are reviewing the correctness of your personal data processed by us,
(2) The processing of your personal data is illegal,
(3) You need the personal data processed by us to pursue your rights after the purpose of processing the data has ended,
(4) You have filed an objection against the processing of your personal data and we are in the process of reviewing your objection.
4. Right to erasure
You are entitled to having your data deleted if:
(1) We no longer need your personal data for the original purpose,
(2) You revoke your consent and if there is no further legal basis for the processing of your personal data,
(3) You have objected to the processing of your personal data and – if the matter in question is not direct marketing – there are no priority grounds for continued processing of the data,
(4) The processing of your personal data is illegal,
(5) The deletion of your personal data is mandated by law,
(6) Your personal data refers to minors for information society purposes.
5. Right to notify
If you have exercised your right to have data corrected, deleted or restricted in terms of processing, we will notify all recipients of your personal data, to correct, delete or restrict the processing of such data.
6. Right to data portability
You have the right to receive any personal data you have provided to us based on consent or to perform a contract in a structured, commonly used and machine-readable format and to have same transferred to another data controller. If this is technically feasible, you have the right to instruct us to send this data directly to another data controller.
7. Right to object
In the event that special grounds apply, you have the right to object to the processing of your personal data. In this case, we will no longer process your personal data, unless we are in a position to raise mandatory protection worthy grounds for continued processing.
If your personal data is being processed for the purpose of direct marketing you do, at any time, have the option to object.
8. Right to revoke consent
You have the right to revoke any consent you have given us at any time. The revocation of consent does not affect the legitimacy of any prior processing on the basis of consent.
9. Right to file a complaint with a supervisory authority
Any other administrative or court enforced legal remedies notwithstanding, you shall have the right to file a complaint with the competent supervisory authority, if you are of the opinion that the processing of your personal data by us is in violation of the EU GDPR.
The competent supervisory authority for our company is:
Der Hamburgische Beauftragte für Datenschutz und Informationssicherheit
Ludwig-Erhard-Str. 22, 7. OG
20459 Hamburg