Data Protection Guideline

Data Protection Guideline

Preamble

Neumann&Müller places particular importance on the responsible and respectful handling of our employees', clients' and service providers' personal data as well as of that of any other parties concerned. Current statutory regulations, primarily the General Data Protection Regulation (GDPR), have introduced stricter requirements regarding lawful data processing. Infringement of data protection law can have serious consequences for Neumann&Müller and the employees involved. The purpose of this guideline is to ensure that data protection at Neumann&Müller is organised in compliance with the law. In addition to this guideline, other corporate guidelines and instructions may apply whose purpose, either in part or in full, is to protect personal data.

Significance, objective, accessibility

This corporate guideline is the binding basis for handling personal data at Neumann&Müller GmbH & Co. KG and all its affiliates. It has been formulated with the intention of safeguarding and protecting the basic rights and freedoms of data subjects, in particular their right to the protection of their personal data. This corporate guideline must be easily accessible for all employees and executive staff at all times.

Scope of application

This guideline applies to all employees of Neumann&Müller. It applies personally to all of the company's staff (including interns and students) and executives. Freelance personnel and leased staff, insofar as they are tasked with the processing of personal data, shall submit a written declaration to the effect that they will observe the requirements of this guideline. The employee responsible for the contract with the other party (for example: for employees = HR manager, for suppliers = the person placing the order, for freelance technicians = personnel booker, for subcontractor = project manager, etc.) is also responsible for arranging the other party's agreement to such an obligation.
 

The requirements and prohibitions of this corporate guideline apply to all handling of personal data, regardless of whether this takes place electronically or on paper. They also include all types of data subjects (clients, employees, suppliers, etc.) in their scope.

Definitions

Personal data means any information relating to an identified or identifiable natural person (data subject). A data subject is identified or identifiable if data can be associated with a certain person either because the name is already contained in the data or because an association is possible by combining the data with other available data. Personal data includes client data as well as the personnel data of employees. For example, the name of a contact also enables an association with a natural person, as does his/her e-mail address. A person can also be identifiable even if the information first has to be linked to additional knowledge, e.g. a car registration number, client number or pseudonym as a user name/access code. The form of the information is irrelevant with respect to the possibility of association with a person. Photos, videos or sound recordings can also constitute personal data.

Special categories of personal data means information that can reveal a person’s racial or ethnic origin, political opinions, religious or philosophical convictions or any trade union membership as well as a natural person's genetic data, biometric data, health data or data on their sex life or sexual orientation.

Processing means any operation which is performed on personal data, whether aided by computer technology or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not.

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. Accordingly a third party is, for example, a company with which Neumann&Müller collaborates if client or employee data, for example, is made available to this company.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.

Data protection organisation

The company has engaged a data protection officer, whose contact details are given below:

Thomas Brehm
c/o BBS Bier Brehm Spahn Partnerschaft Rechtsanwälte
Brandstwiete 46
20457 Hamburg
Germany
E-Mail: datenschutz(at)neumannmueller.com 

The data protection officer monitors compliance with the GDPR as well as with other statutory provisions, including the provisions of this and other guidelines issued by the company, on the subject of data protection. The data protection officer advises and informs the management regarding existing data protection obligations and is responsible for communication with supervisory authorities. He/she performs sample, risk-oriented reviews of selected processes at suitable intervals to check their conformity with data protection provisions.

The data protection officer is free to use his/her specialised knowledge in the area of data protection at his/her own discretion. He/she reports directly to the company management. The company and its employees are obliged to support the data protection officer in the performance of his/her duties.

The data protection officer is to be informed immediately in all cases involving procedures requiring particular attention in terms of data protection, in particular in the event of:

  1. Enquiries or other measures by data protection supervisory authorities
  2. Press enquiries regarding data protection at Neumann&Müller
  3. Input and complaints from data subjects, e.g. requirements concerning the provision of information, erasure or the restriction of processing
  4. Suspected or actual infringements of data protection provisions at Neumann&Müller

The data protection officer should be contacted via the IT department (datenschutz@neumannmueller.com). In particularly urgent cases, contact can be made directly. Furthermore, every employee has the right to contact the data protection officer directly, in particular regarding matters concerning the employee himself/herself. The data protection officer shall treat employees' affairs in confidence, including vis-à-vis the management, unless it is necessary to name the employee in the handling of the affair concerned.

If Neumann&Müller receives enquiries or communications regarding requests for information, erasure, restriction of processing or data protection infringement, whether in writing, by e-mail or by telephone, the employee receiving the enquiry or communication shall:

  1. Document the enquiry or communication, if received verbally, thereby accurately and correctly recording the contact details of the person making the enquiry/supplying the information (name, address, telephone number for future contact) 
  2. Send the enquiry/documentation according to 1.) above immediately and without delay to the IT department (datenschutz@neumannmueller.com) for further handling

The company data protection officer shall be consulted when answering the enquiry.

Handling personal data

The processing of personal data is generally prohibited unless a statutory rule explicitly allows such data handling. Processing of personal data is generally allowed:

  1. If a contract exists with the data subject. Example: The storage and use of necessary personal data of contact persons within the context of a client order
  2. During measures necessary before entering into a contract upon request by the data subject as well as during execution of the contract with the data subject. Example: Customer C requests information on product/project X and procures this product/project. The data required for sending information materials as well as for executing the transaction (project execution/supply of goods and payment of the purchase price) may be processed
  3. If and to the extent that the data subject has given consent. Example: The data subject registers for a newsletter
  4. If the company is subject to a legal obligation. Example: Statutory retention periods according to the German Commercial Code (Handelsgesetzbuch, HGB) and German Fiscal Code (Abgabenordnung, AO)
  5. If there are legitimate interests of the company, provided that the interests or fundamental rights of the data subject are not overriding. However, data processing operations should not be performed invoking a legitimate interest before consulting the data protection officer. The data protection officer need not be involved if the operation is already included in the records of processing activities. Example: In the context of an order, processing of contact details that do not come from the client (trade fair stand constructors, agencies, planners, caterers, etc.)

Personal data is to be processed for a previously determined, unambiguous and legitimate purpose. The keeping of data for no purpose, for example storage of data for possible future use, is not permitted.

If possible, the handling of personal data should be avoided. Pseudonyms or anonymous data processing shall be preferred. Furthermore, only such personal data may be collected/processed that is really necessary for the purpose concerned. For example, an e-mail address must be collected for an e-mail newsletter but not a postal address or telephone number.

The purpose that originally constituted the basis for handling data may only be changed – in addition to the data subject having giving consent – if the purpose of further processing can be reconciled with the original purpose. Account must be taken in particular of the reasonable expectations of the data subject vis-à-vis the company regarding such further processing, the type of data used, the consequences for the data subject and the possibilities of encryption and pseudonymisation.

Upon collection of his/her personal data, the data subject shall be informed in detail regarding the handling of his/her data. Such information shall include the intended purpose, the identity of the controller, the recipients of his/her personal data as well as any other information pursuant to Article 13 GDPR necessary to ensure fair and transparent processing. The information shall be formulated in an intelligible and easily accessible form, using plain language. A sample notification can be retrieved from the internal WIKI . Alternatively, the notification can be given using the e-mail signature to the latest version of the Neumann&Müller Privacy Notice (see above WIKI entry for sample text).

If personal data is not collected from the data subject but, for example, obtained from another company, the data subject shall be subsequently and comprehensively informed pursuant to Article 14 GDPR regarding the handling of his/her data. This also applies to any change in the purpose of data processing.

Personal data shall be factually correct and, if necessary, up to date. The scope of data processing should be necessary and relevant with regard to the specified purpose. The location and department concerned shall ensure implementation by establishing appropriate processes. 

Personal data shall be erased or anonymized if no longer required, in particular if the contractual relationship is permanently ended and there is no obligation to retain such data in accordance with tax laws. 

Copies of personal data may only be made to the extent necessary taking the purpose into account, in particular for back-ups.

Special categories of personal data

Special categories of personal data may only be collected, processed or used with the consent of the data subject or, under exceptional circumstances, on the basis of explicit statutory permission. Furthermore, additional technical or organisational measures shall be taken (e.g. encryption during transport, minimal granting of privileges) to protect special personal data.

Disclosure and transfer of data

The disclosure of personal data to third parties is only admissible on the basis of statutory permission, for example a contract or legitimate interest of Neumann&Müller or the data subject's consent.

If the recipient of personal data is located outside of the European Union or the European Economic Area (e.g. processing by a service provider in the USA), special measures shall be taken to safeguard the rights and interests of the data subject. Data shall not be transferred if no appropriate level of data protection is in place at the body receiving the data or if such protection cannot be established by means of specific contract clauses.

External service providers

If external service providers are to receive access to personal data, the IT department shall be informed in advance. Forwarding of personal data without a demonstrable basis and safeguards (contract or sufficient obligation to confidentiality as provided by the legal department) is prohibited.

Service providers with possible access to personal data shall be selected carefully before an order is placed. Such selection shall be documented and should take account of the following aspects in particular:

  1. Professional suitability of the contractor to handle data in the circumstance in question
  2. Technical/organisational security measures
  3. The contractor's experience on the market
  4. Other aspects that allow conclusions to be drawn about the contractor's reliability (data protection documentation, willingness to cooperate, response times, etc.)

If a service provider is commissioned to collect, process or use personal data, a contract for commissioned processing shall be entered into. This shall set out provisions for data protection and IT security. The contact person for such matters is the data protection officer.

The service provider shall be regularly inspected with regard to the technical/organisation measures agreed in the contract. The result shall be documented.

Data minimisation, privacy by design/privacy by default

The handling of personal data shall be organised in accordance with the aim of collecting, processing or using as little data as possible from a data subject (data minimisation). In particular, personal data shall be anonymized or pseudonymised insofar as this is possible in accordance with intended use. For example, it will not be necessary to know and use the full name of a data subject in the context of a statistical evaluation of data. Instead, this information can be substituted by a random value that can also ensure the capability of distinguishing among the items of underlying information.

The same applies accordingly to the selection and design of data processing systems. Data protection shall be integrated from the very beginning into the specifications and the architecture of data processing systems to facilitate compliance with the principle of protection of the private sphere and of data protection, in particular the principle of data minimisation.

Rights of data subjects

Data subjects have the right to information regarding the personal data stored in the company about their person. When handling requests, the identity of the data subject shall be determined beyond any doubt. If there are grounds to doubt his/her identity, additional details can be requested from the applicant. 

Information shall be given in writing unless the data subject made the request by electronic means. Should the data subject so wish, a copy of the data subject's data shall be attached, which includes, besides the data on the person himself/herself, also the recipients of the data, the purpose of storage as well as all further information demanded in accordance with the provisions of Article 15 GDPR to make the data subject aware of processing and be able to assess the lawfulness himself/herself. Upon special request by the data subject, the data shall be made available in a structured, commonly used and machine-readable format. The IT department shall determine the standard to be envisaged for this purpose.

Data subjects have the right to have their personal data rectified if it proves to be incorrect. They may also demand that incomplete personal data be made complete.

Under the following preconditions, the data subject has the right to erasure of his/her personal data:

  1. Knowledge of the data is no longer necessary to fulfil the purpose of their storage
  2. The data subject has withdrawn his/her consent and there is no other legal basis for processing
  3. Processing is inadmissible
  4. The data subject objects to processing for marketing purposes and invokes a right to object based on a particular personal situation (for which grounds must be given)
  5. The data is special personal data whose correctness cannot be proved
  6. There are other legal obligations to erase data

If there is an obligation to erase and if the personal data was previously made public, other data processing controllers shall be informed of any request by the data subject to have the data erased with regard to all copies of his/her data as well as all links to such data.

  1. The data subject can demand restriction of processing of his/her data if:
  2. The correctness of personal data is disputed. However this shall only apply for as long as its correctness is being reviewed by the location or department responsible
  3. Processing is inadmissible but the data subject opposes erasure of the  data
  4. Neumann&Müller no longer needs the personal data for the purposes of the processing, but the personal data is required for the establishment, exercise or defence of legal claims
  5. The data subject has objected to the processing due to a special situation and the location or department responsible is still reviewing the objection

The data subject shall be informed of all measures taken as a result of his/her request within one month at the latest. The data protection officer shall be available for consultation concerning safeguarding of the data subject's rights.

Information requests from third parties concerning data subjects

If a body requests information concerning data subjects, for example clients or employees of this company, the forwarding of information is only permitted if:

  1. The body giving the information can demonstrate an appropriate legitimate interest
  2. Giving such information is prescribed by a statutory standard
  3. The identity of the person or body making the request is determined beyond doubt

Record of processing activities

Neumann&Müller keeps a record of all data processing activities. Each department and each location shall appoint a person responsible for documenting all necessary information on the processes of the department concerned in accordance with the statutory requirements of Article 30 GDPR. The data protection officer can be consulted regarding information required by law. The IT department is the point of contact for the record and all related questions. Neumann&Müller makes the record available to the supervisory authority upon request. The data protection officer is responsible with the agreement of the company management.

Marketing

The use of personal data for marketing by letter, telephone, fax or e-mail is only admissible if the data subject has previously given consent for the use of his/her data for marketing purposes. Exceptions are only permitted if a permissive rule exists. Please consult the data protection officer in this regard.

Training

Employees who have constant or regular access to personal data, who collect such data or who develop systems for processing such data shall be given appropriate training in data protection requirements. Neumann&Müller shall decide on the form of such training courses and the intervals at which they shall be held.

Confidentiality obligation

Employees are not allowed to process or use personal data without authorisation (data confidentiality). In particular, no personal information of which employees gain knowledge in the course of or in connection with their work at Neumann&Müller may be forwarded, disclosed to third parties, copied, erased or amended without authorisation unless this is done for the purpose of the employee's work for Neumann&Müller and corresponds to the company's instructions. Any unauthorised processing or use for other purposes is prohibited. These obligations shall continue to apply even after employment at Neumann&Müller has ended.

Infringements of data confidentiality can be punished with considerable fines or terms of imprisonment. Claims for damages may also arise in the event of unauthorised collection, processing or use of data. Employees subject to special confidentiality obligations (e.g. telecommunications secrecy according to Section 88 of the German Telecommunications Act (Telekommunikationsgesetz, TKG) shall also be obliged to sign a written commitment to that effect by the company management.

Complaints

Each data subject, including each employee, has the right to complain about the processing of his/her data if he/she feels that his/her rights have been infringed. Employees can also report infringements of this company guideline at any time. Such complaints should be addressed to the data protection officer in his/her capacity as an internal, independent authority free to act at his/her own discretion.

Internal investigations

The relevant statutory data protection regulations shall be closely observed in connection with any measures aimed at discovering the facts of a case and avoiding or uncovering criminal offences or serious breaches of duty in an employment relationship. In particular, the associated collection and use of data shall be necessary for the purpose of the investigation, appropriate and proportionate with regard to the data subject's legitimate interests. The data subject shall be informed as soon as possible regarding the measures taken concerning his/her person. The data protection officer shall be consulted in advance regarding the choice and form of the measures with respect to all types of internal investigation.

Availability, confidentiality and integrity of data

Depending on the type, scope, circumstances and purposes of processing as well as on the probability of occurrence, a documented assessment of the protection requirements and analysis regarding the risks to the data subject shall be conducted for each process.

There is a general security concept whose purpose is to safeguard the availability, confidentiality and integrity of personal data. This concept is adapted over time to changes in requirements and in framework conditions. Such adaptation shall take account of the state of the art as well as means and measures for encryption and data back-up. The security concept shall be regularly reviewed, assessed and evaluated in terms of the effectiveness of the technical/organisational measures envisaged by the concept.

Measures shall be taken to prevent data processing systems being used by unauthorised persons. Doors of unoccupied rooms shall be locked. Effective measures to control access shall be in place on equipment and shall be activated. System accesses shall always be blocked when personnel is absent.

Passwords enable access to systems and the personal data stored in them. They constitute a personal identification of the user and are not transferable. Measures shall be taken to ensure that passwords are always kept under lock and key. Passwords shall correspond to Neumann&Müller's applicable password guideline. 

Access to personal data shall only be given to those persons who require knowledge of the data concerned to perform their duties ("need-to-know principle"). Access authorisations shall be precisely determined and documented in full. Data transfers via public networks shall be encrypted where possible. Encryption shall be mandatory if demanded by the protection requirement of the personal data.

Sets of personal data collected for differing purposes shall be processed separately from one another. The separation of data shall be ensured by suitable technical and organisational measures.

Maintenance work on systems or telecommunication facilities by external service providers shall be supervised. Measures shall also be taken to ensure that service providers cannot access personal data without authorisation. Remote access shall be allowed in individual cases and shall comply with the principle of least privilege. Wherever possible, remote maintenance activities shall be recorded or logged.

Data protection impact assessment 

Where a processing operation is to be installed that is likely to result in a high risk to the rights and freedoms of data subjects, the data protection officer shall be consulted with respect to conducting a data protection impact assessment.

Personal data breaches

Should personal data for which Neumann&Müller is responsible have been unlawfully disclosed to third parties, the IT department shall be informed without undue delay. The IT department shall consult the data protection officer without undue delay regarding its fact finding measures.

Such notification shall include all information relevant to establishing the facts of the case, in particular the body receiving the data, the persons concerned as well as the category and scope of the data transferred.

Any duties to provide information to supervisory authorities shall be fulfilled exclusively by the data protection officer. Data subjects shall be informed by the management, whereby the data protection officer shall be consulted.

Consequences of infringements

Any negligent or wilful infringement of this guideline can result in consequences under labour law, which may include dismissal with or without notice. Sanctions under criminal law or consequences under civil law, such as compensation for damages, are also possible.

Accountability and future development

Compliance with the provisions of this guideline shall be demonstrable at all times. Particular attention shall be paid to the traceability and transparency of measures taken, for example by means of associated documentation.

This guideline will be regularly reviewed in terms of any required adjustment or supplement with regard to the future development of data protection law and with regard to technological or organisational changes.

Amendments to this guideline shall come into effect even if made informally. Employees and executive staff shall be informed without undue delay and in an appropriate manner of any changes to the provisions.

Queries/Entry into force

This guideline enters into force upon its announcement on 23.04.2018.

The data protection officer is the contact person for any queries regarding this guideline and its interpretation.